Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Cyber Command conducted offensive operations to protect midterm elections https://therecord.media/cyber-command-conducted-offensive-operations-to-protect-midterm-elections/
U.S. Cyber Command conducted both defensive and offensive operations to thwart foreign actors from interfering in the 2022 midterms, according to the digital combat units chief. We did conduct operations persistently to make sure that our foreign adversaries couldnt utilize infrastructure to impact us, [General] Nakasone said. We understood how foreign adversaries utilize infrastructure throughout the world, we had that mapped pretty well, and we wanted to make sure that we took it down at key times.
Tomi Engdahl says:
Suomi on maailman kyberturvallisin maa etätyöhön
https://etn.fi/index.php/13-news/14399-suomi-on-maailman-kyberturvallisin-maa-etaetyoehoen
Itänaapurimme ansiosta saamme mekin osamme erilaisista verkkohyökkäyksistä. Esimerkiksi viime viikolla HSL:n palvelut olivat nurin palvelunestohyökkäyksen takia. Etätöiden tekemisen näkökulmasta Suomi on kuitenkin maailman kyberturvallisin maa.
Verkkomarkkinoinnin asiantuntija Reboot Online on vertaillut eri maiden kyberturvallisuutta nimenomaan etätöiden tekemisen kannalta. Sen arviossa Suomi vie maailman kyberturvallisimman maan kruunun. Suomen kybervaarapisteet ovat vertailun alhaisimmat ja meillä on alle 300 tietojenkalastelusivustoa.
Tomi Engdahl says:
Kommentti: Pyytämättömät peniskuvat ovat pian mennyttä kalua – vihdoin
Eevi Karvinen
Seksuaalirikoslaki uudistuu kattavasti kahden viikon kuluttua. Lehtiin painetaan selkosuomella ohjekirjaa: käyttäydy näin, niin vältät tuomion, kirjoittaa Iltalehden toimittaja Eevi Karvinen.
https://www.iltalehti.fi/kotimaa/a/89de8218-1dc9-4f49-bea8-fddeb3cea089
Seksuaaliseksi ahdisteluksi luetaan vuodenvaihteen jälkeen teot, jotka ovat omiaan loukkaamaan toisen henkilön seksuaalista itsemääräämisoikeutta.
Tähän ei ole yhtä ja oikeaa ohjenuoraa, lajimme kun ei ole haluissaan homogeeninen.
Vaikka rikoksen tunnusmerkistö laajenee, sanktiot pysyvät samana: ne vaihtelevat sakoista enintään puolen vuoden vankeusrangaistukseen.
Kysyvä ei tieltä eksy. Ei pitäisi olla absurdia varmistaa toisen suostumus, oli sitten kyse seksuaalissävytteisestä viestinnästä tai suoraan seksuaalisesta kanssakäymisestä.
– Tykkäisitkö, jos puhuisin sulle tuhmia? Haluaisitko, että lähetän sulle rivon kuvan?
Selkeät, yksinkertaiset virkkeet. Varsin helpot toistaa ja muistaa. Saatu vastaus täytyy myös hyväksyä. Ei tarkoittaa ei, eikä kertaa kiellon päälle kaivata.
Tomi Engdahl says:
Wall Street Journal:
Epic Games agrees to pay the FTC $520M to resolve two complaints over allegedly violating COPPA and tricking users into making unintended purchases in Fortnite
Epic Games, Maker of ‘Fortnite,’ to Pay $520 Million to Resolve FTC Allegations
The agency alleged that the company invaded children’s privacy and tricked players of all ages into making unintended purchases
https://www.wsj.com/articles/epic-games-maker-of-fortnite-to-pay-520-million-to-resolve-ftc-allegations-11671456744?mod=djemalertNEWS
Epic Games Inc. has agreed to pay $520 million to resolve Federal Trade Commission allegations that the “Fortnite” videogame developer violated online privacy protections for children and tricked players into making unintended purchases.
The FTC said the agreement consisted of two record-breaking settlements that resolve a pair of civil complaints it was filing against Epic. One, filed in federal court, alleged the company violated the federal Children’s Online Privacy Protection Act by collecting personal information from “Fortnite” players under the age of 13 without notifying their parents or obtaining verifiable parental consent.
That lawsuit also accused the company of illegally enabling real-time voice and text chat communications for children and teens in the game by default. Further, the FTC said Epic put those users at risk by connecting them with strangers, and as a result, some were “bullied, threatened, harassed and exposed to dangerous and psychologically traumatizing issues such as suicide.”
Epic will pay a $275 million civil penalty for the alleged COPPA violations, the FTC said, the largest assessed in the commission’s enforcement of the privacy law.
The company separately agreed to pay $245 million in consumer refunds to resolve the FTC’s second complaint, which was filed in administrative court. It is the FTC’s largest settlement that bars the use of so-called dark patterns, tactics that trap customers into paying for goods and services and create obstacles to canceling.
Epic didn’t admit or deny the FTC’s allegations as part of the settlements.
FTC Chair Lina Khan said protecting the public, especially children, from online privacy invasions and deceptive practices was a top priority. “These enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices,” she said.
The FTC’s second complaint alleged that Epic deployed a variety of tactics to drive unintended purchases of virtual currency for acquiring perks such as outfits and dance moves in “Fortnite,” including the use of counterintuitive, inconsistent and confusing button configurations. “These tactics led to hundreds of millions of dollars in unauthorized charges for consumers,” it said.
Epic didn’t admit or deny the FTC’s allegations as part of the settlements.
FTC Chair Lina Khan said protecting the public, especially children, from online privacy invasions and deceptive practices was a top priority. “These enforcement actions make clear to businesses that the FTC is cracking down on these unlawful practices,” she said.
The FTC’s second complaint alleged that Epic deployed a variety of tactics to drive unintended purchases of virtual currency for acquiring perks such as outfits and dance moves in “Fortnite,” including the use of counterintuitive, inconsistent and confusing button configurations. “These tactics led to hundreds of millions of dollars in unauthorized charges for consumers,” it said.
Tomi Engdahl says:
Official: Russia, Iran Turmoil Limited Meddling in US Vote
https://www.securityweek.com/official-russia-iran-turmoil-limited-meddling-us-vote
Russia’s war in Ukraine and anti-regime protests in Iran limited both Moscow and Tehran’s ability to try to influence or interfere in the recent U.S. midterm elections, a senior American military official said Monday.
U.S. agencies were on high alert before November’s vote for potential cyberattacks or foreign influence operations, particularly after adversaries were judged by intelligence agencies to have meddled in the last two presidential elections. But there was little sign of disruption in the midterms.
“I was surprised by the lack of activity we saw from the Russians, the Iranians, or the Chinese,” said Army Maj. Gen. William Hartman, who leads the U.S. Cyber National Mission Force, which partners with the National Security Agency in detecting and stopping election intrusions.
Russian President Vladimir Putin has been mired in a prolonged war with tens of thousands of casualties since he ordered an invasion of Ukraine in February. And Iran’s leaders are waging a bloody crackdown against street protests sparked by the September death of a 22-year-old woman, in one of the largest sustained challenges to their power since the 1979 revolution.
Hartman noted that Russia’s domestic, military, and foreign intelligence services are expending more resources than previously expected on Ukraine, which has put up greater resistance than many in Moscow or Washington expected.
Though on an apparently lesser scale than in recent elections, all three countries have been linked by the U.S. to alleged influence efforts this year.
And Russia, which was accused by U.S. intelligence of trying to support Donald Trump’s presidential bids in 2016 and 2020, was alleged to be seeking to amplify doubts about the integrity of the election.
Tomi Engdahl says:
EtherWeasel: A man-in-the-middle attack on an Ethernet network
https://www.youtube.com/watch?v=TK0TTOAR–U
https://github.com/jarpoole/ethernet-mitm
Tomi Engdahl says:
Official: Russia, Iran Turmoil Limited Meddling in US Vote
https://www.securityweek.com/official-russia-iran-turmoil-limited-meddling-us-vote
Russia’s war in Ukraine and anti-regime protests in Iran limited both Moscow and Tehran’s ability to try to influence or interfere in the recent U.S. midterm elections, a senior American military official said Monday.
U.S. agencies were on high alert before November’s vote for potential cyberattacks or foreign influence operations, particularly after adversaries were judged by intelligence agencies to have meddled in the last two presidential elections. But there was little sign of disruption in the midterms.
“I was surprised by the lack of activity we saw from the Russians, the Iranians, or the Chinese,” said Army Maj. Gen. William Hartman, who leads the U.S. Cyber National Mission Force, which partners with the National Security Agency in detecting and stopping election intrusions.
Russian President Vladimir Putin has been mired in a prolonged war with tens of thousands of casualties since he ordered an invasion of Ukraine in February. And Iran’s leaders are waging a bloody crackdown against street protests sparked by the September death of a 22-year-old woman, in one of the largest sustained challenges to their power since the 1979 revolution.
Hartman noted that Russia’s domestic, military, and foreign intelligence services are expending more resources than previously expected on Ukraine, which has put up greater resistance than many in Moscow or Washington expected.
Though on an apparently lesser scale than in recent elections, all three countries have been linked by the U.S. to alleged influence efforts this year.
Tomi Engdahl says:
Russian hackers targeted petroleum refining company in NATO state https://therecord.media/russian-hackers-targeted-petroleum-refining-company-in-nato-state/
A hacking group associated with Russia’s Federal Security Service
(FSB) unsuccessfully attempted to compromise a large petroleum refining company within a NATO member state at the end of August, according to a new report. The advanced persistent threat group, known as Trident Ursa (also referred to as Gamaredon, Primitive Bear and
Shuckworm) is “a specially created structural unit” of the FSB “whose tasks are intelligence and subversive activities against Ukraine in cyberspace, ” in the analysis of Ukraine’s Security Service. It primarily uses HTML and Word documents as spear phishing lures which, alongside its traditional efforts targeting Ukrainian entities with Ukrainian-language lures, are now also increasingly using English-language lures according to research published Tuesday by Palo Alto Networks’ Unit 42.
Tomi Engdahl says:
Is Cloud Native Security Good Enough?
https://blog.checkpoint.com/2022/12/20/is-cloud-native-security-good-enough/
Global organizations are digitally transforming via cloud native applications and services. Use of cloud native can drive innovation, accelerate speed to market, and can bring about cost savings that fuel new growth. Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data.
However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Tomi Engdahl says:
4 Most Common Cyberattack Patterns from 2022
https://securityintelligence.com/articles/most-common-cyberattack-patterns-2022/
1. Ransomware
It’s been a somewhat strange year for ransomware. The first half of the year saw a surge of ransomware attacks, but then subsided in Q3 and continued to slow down. Still, the percentage of breaches caused by ransomware grew 41% in the last year; identification and remediation for a breach took 49 days longer than the average breach.
Ransomware attacks typically follow roughly the same pattern. An attacker gains control of one or many of an organization’s assets, such as critical data, encodes them and demands a ransom for their release.
2. Email Compromise
Compromised emails can seem like a frustratingly basic and simple way for attackers to infiltrate your company network, but (perhaps because of that simplicity) this remains a very common and effective attack pattern in 2022.
After a downturn in this type of attack in 2020 and 2021, email cyberattacks increased by 48% in the first half of 2022, with reports of 11,395 incidents costing businesses a total of $12.3 million.
A common attack pattern here involves phishing, which is still the most common attack method in 2022. Phishing emails are usually short, often refer to things like unpaid invoices and are increasingly smart and consistently effective.
3. Supply Chain Attacks
With the emergence of the first major war in Europe for decades, 2022 saw a rise in attacks targeting national and international infrastructure, such as supply chains.
As supply chains continue to become more interconnected, complex and reliant on technology, the risk of attacks grows, along with their potential to inflict disaster. Research suggests that up to 40% of cyber threats are now occurring directly through the supply chain.
A report by Accenture in May found that supply chain disruptions in the Eurozone have led to a loss of €112 billion so far and could amount to €242 billion across 2022 and 2023 — a staggering 2% of GDP.
4. Attacks on Internet of Things (IoT) Devices
As the Internet of Things continues to grow in scope, sophistication and accessibility, it’s becoming an increasingly tempting target for cyber criminals. IoT devices are now used in our homes, offices, assembly lines, factories and much more. They allow businesses to tap into data insights in entirely new ways, reduce the workload of human employees and essentially add to the bottom line. With benefits like these, IoT is not going away anytime soon.
The very fact that IoT devices use large amounts of data makes them attractive targets for hackers, especially since many IoT devices are not well-secured. One example is the MiCODUS MV720 GPS tracker — a device for tracking vehicles and preventing theft and other forms of loss through actions like cutting fuel supply.
Looking to the Future
2022 showed us that cybersecurity is constantly evolving and always of the utmost importance. As we enter a new year, it’s likely that security teams will have to contend with an entirely new range of threats and attack patterns.
But if 2022 is any indication, most of the major threats will be preventable with robust security hygiene and best practices.
Tomi Engdahl says:
James Reddick / The Record:
US prosecutors say two men conspired with Russian hackers to tamper with JFK airport’s taxi queuing software, allegedly letting drivers cut the line for a fee — Two Queens men have been arrested and are facing up to 10 years in prison on charges that they conspired with Russian hackers …
Russian hackers accessed JFK airport taxi software: Port Authority
https://therecord.media/russian-hackers-accessed-jfk-airport-taxi-software-port-authority/
Two Queens men have been arrested and are facing up to 10 years in prison on charges that they conspired with Russian hackers to tamper with JFK airport’s taxi queuing software, allegedly allowing drivers to cut the line for a fee.
According to an indictment unsealed on Tuesday, Daniel Abayev and Peter Leyman, both 48, plotted to hack the “dispatch system” starting as early as September 2019. Taxis at JFK are required to wait in a holding lot, with an automated system run by Port Authority of New York and New Jersey designed to ensure that drivers can pick up passengers in the same order in which they arrived.
The two men saw an opportunity in the sometimes hours-long wait times, with Abayez allegedly writing to one Russian hacker in 2019: “I know that the Pentagon is being hacked. So, can’t we hack the taxi industry[?].”
The conspirators are accused of attempting to access the system in a variety of ways, including bribing someone to install malware via a flash drive, using a Wi-Fi connection to access the system, and stealing tablets connected to the platform.
Tomi Engdahl says:
Cybercriminals’ latest grift: powdered milk and sugar by the truckload
https://therecord.media/cybercriminals-latest-grift-powdered-milk-and-sugar-by-the-truckload/
Cybercriminals are increasingly targeting companies in the food and agriculture sector with business email compromise (BEC) schemes, resulting in truckloads of products ending up in scammers’ hands.
In a joint Cybersecurity Advisory from the FBI, Food and Drug Administration and U.S. Department of Agriculture released on Thursday, officials warned of the prevalence of BEC scams, in which threat actors send emails impersonating employees of a legitimate company to place fraudulent orders. In the cases cited in the advisory, the criminals used email addresses with slight differences from those they were imitating.
In one instance, in August, a supplier received a request for a truckload of sugar on credit from a senior employee at an unnamed U.S. company. The recipient of the request noticed the extra letter in the domain name of the address and, after contacting the company, discovered there was nobody there with that name.
Others weren’t so fortunate, however. Also in August, a food distributor received an email from a multinational food and beverage company for two truckloads of powdered milk. The request came from the company’s chief financial officer, and the shipment was sent. In fact, the email address had one extra letter in the domain name and the distributor ended up on the hook for more than $160,000.
Other scams, all for powdered milk, resulted in losses of as much as $600,000.
Tomi Engdahl says:
FBI warns of search engine ads pushing malware, phishing https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-ads-pushing-malware-phishing/
The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges. In today’s public service announcement, the federal law enforcement agency said threat actors purchase advertisements that impersonate legitimate businesses or services. These ads appear at the top of search result pages and link to sites that look identical to the impersonated company’s website. “When a user searches for that business or service, these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result,” warns the FBI. “These advertisements link to a webpage that looks identical to the impersonated business’s official webpage.”
Tomi Engdahl says:
Is Enterprise VPN on Life Support or Ripe for Reinvention?
https://www.securityweek.com/enterprise-vpn-life-support-or-ripe-reinvention
While enterprise VPNs fill a vital role for business, they have several limitations that impact their usability and cybersecurity
Overnight, remote work evolved from a rarely used ‘perk’ with separately managed security and compliance processes, to becoming the center for keeping business running during the pandemic. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site.
However, as fast as VPNs were deployed, organizations learned their limitations and security risks. While acceptable under the unique conditions created by COVID-19, VPNs’ shortcomings have exposed the technology as being out of step with the new realities of the cloud and the anywhere workforce era. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh akin to the introduction of next-gen firewalls?
Enterprise VPNs encrypt and tunnel traffic to a VPN server, which typically resides within the main secure corporate network. The tunnel connects employee devices to the enterprise network as if they were on-premises — providing secure access to all organization’s resources.
VPN Limitations and Security Risks
While enterprise VPNs fill a vital role for the modern business, they have several limitations that impact their usability and corporate cybersecurity, including:
• Limited scalability and management complexity – A major VPN disadvantage that quickly emerged as part of the rushed COVID-19 built-out is its lack of scalability. Adding more VPN concentrators and appliances to minimize VPN overload issues leads to increasing network complexity and additional maintenance expenditure.
• End user friction – Typically, users who need to access the corporate network are used to thinking of a VPN as a cumbersome, unreliable way of getting remote access. Application disruptions, requiring frequent manual restarts and re-connection to the network, or at minimum re-authentication, are very common experiences that impact user productivity and adoption.
• Endpoint vulnerabilities – Endpoints who have legitimate access to the VPN can sometimes be compromised via phishing and other cyberattacks. Since the endpoint, once authenticated, has full access to the corporate resources via the VPN, so does the cyber adversary who has compromised the endpoint.
• Excessive and implicit trust – One of the biggest disadvantages of VPNs is that they implicitly trust all users and connections. VPNs rely on a set of credentials that allow authenticated users to access corporate data and applications from any location. That’s great in theory, but in practice if an attacker manages to get those credentials, they have almost unfettered (and often unnoticed) access to exploit any of an organization’s network resources and applications.
Conclusion
Traditional VPNs aren’t dead, but they are likely to be phased out in favor of more flexible, scalable next-gen VPNs, or ZTNA. These will provide organizations the best of both worlds; protection on any device and any network, with an on-demand VPN connection that can be deployed back to the enterprise whenever it’s needed.
Tomi Engdahl says:
Kyberturvan ammattilaisista on huutava pula
https://etn.fi/index.php/13-news/14410-kyberturvan-ammattilaisista-on-huutava-pula
Kyberturvallisuuden ammattilaisista on akuutti pula. Globaalisti vajeeksi on arvioitu kolme miljoonaa ammattilaista. Suomessa ongelmaa yrittää ratkoa Metropolian ammattikorkeakoulu uudella opetussuunnitelmalla, jossa kyberturvallisuus on erittäin tärkeässä asemassa. Ohjelman keskeinen osa on Fortinet Training Instituten NSE-koulutus (Network Security Expert).
Liiketoimintaympäristö muuttuu nopeasti uusien uhkien ilmaantuessa ja uusien ja vanhojen rikollisten oppiessa käyttmään erilaisia taktiikoita. Vaikka kyberturvallisuusteollisuus mukautuu ja kehittyy jatkuvasti, suomalaisilla yrityksillä ja organisaatioilla on paljon huomioon otettavia seikkoja uusien teknologisten innovaatioiden myötä, jotta mahdollisimman hyvä turvallisuustaso voitaisiin varmistaa.
Yritysten on turvattava omaisuutensa ja varmistettava työntekijöiden jatkuva valmius reagoida kyberhyökkäykseen, jos he haluavat edetä turvallisesti ja välttää kyberrikollisten tai pahantahtoisten hyökkääjien aiheuttamia tappioita. Traficomin Kybersää Lokakuu 2022 -raportin mukaan lokakuun suurimmat kyberuhat olivat tietomurrot ja -vuodot, petokset ja kalastus, haittaohjelmat ja haavoittuvuudet (mukaan lukien kiristyshaittaohjelmat), automaatio ja IoT, verkkojen toiminta sekä vakoilu.
Tomi Engdahl says:
https://pentestmag.com/understanding-detecting-c2-frameworks-babyshark/
Tomi Engdahl says:
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
https://www.securityweek.com/fbi-recommends-ad-blockers-cybercriminals-impersonate-brands-search-engine-ads
The Federal Bureau of Investigation (FBI) this week raised the alarm on cybercriminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats.
The attackers register domains similar to those of legitimate businesses or services and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert.
These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.
Links included in these ads take users to pages that are identical to the official web pages of the impersonated businesses, the FBI explains.
If the user searches for an application, they are taken to a fake web page that uses the real name of the program the user searches for, and which contains a link to download software that is, in fact, malware.
“These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms,” the FBI notes.
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
https://www.ic3.gov/Media/Y2022/PSA221221
Tomi Engdahl says:
France Seeks to Protect Hospitals After Series of Cyberattacks
https://www.securityweek.com/france-seeks-protect-hospitals-after-series-cyberattacks
The French government announced a “vast training programme” on Wednesday to help hospital staff guard against hackers after a series of cyberattacks against medical facilities.
“The target is that 100 percent of the most important health facilities have undergone these new exercises by May 2023,” the interior, health and digital services ministers announced in a joint statement.
Further effort will be made to spread best-practice throughout French hospitals in “the reactions and practices to adopt in case of a cyber event,” the statement added.
The announcement reflects mounting concern in France about repeated attacks on hospitals that see cyber criminals lock down a facility’s critical IT networks and data before demanding a ransom to release them.
In a case earlier this month, hackers infiltrated a major public hospital in Versailles outside of Paris, meaning the emergency ward had to operate at around 50 percent capacity and the maternity unit at a third.
Tomi Engdahl says:
Over 50 New CVE Numbering Authorities Announced in 2022
https://www.securityweek.com/over-50-new-cve-numbering-authorities-announced-2022
More than 50 organizations have been added as a CVE Numbering Authority (CNA) in 2022, bringing the total to 260 CNAs across 35 countries.
Most CNAs can assign CVE identifiers to vulnerabilities found in their own products, but some can also assign CVEs to flaws found by their researchers in third-party software that is not in another CNA’s scope.
2022 CVE Numbering AuthoritySecurityWeek has conducted an analysis of announcements made by the CVE Program and found that 54 CNAs were added in 2022, compared to 43 in 2021.
The 2022 list includes cybersecurity companies such as Proofpoint, Bugcrowd, Qualys, CyberArk, Green Rocket Security, Dragos, SailPoint, Senhasegura, NetRise, HYPR, and Netskope.
Major tech companies such as Baidu, Canon, Google (open source software), Seagate, Unisoc, GE Healthcare, Philips, Medtronic, Baxter Healthcare, and Citrix are now also CNAs.
Major industrial solutions providers such as General Electric (Gas Power), Honeywell, and Rockwell Automation can now also assign CVEs to vulnerabilities.
Tomi Engdahl says:
NordPass, the password management tool, released its list of the 200 most common passwords in 2022— and people are still using notoriously weak passwords.
Hackers guessed the world’s most common password in under 1 second—make sure yours isn’t on the list
https://www.cnbc.com/2022/11/23/most-common-passwords-of-2022-make-sure-yours-isnt-on-the-list.html?utm_term=Autofeed&utm_medium=Social&utm_content=Intl&utm_source=Facebook#Echobox=1671773323
NordPass, the password management tool from the team behind NordVPN, released its list of the 200 most common passwords in 2022 — and it turns out people are still using notoriously weak passwords.
The most common password in the world this year was the infamously bad “password”, and it took hackers under one second to crack it. The same goes for the second and third most common passwords: “123456″ and “123456789”, respectively.
Bitwarden, an open source password manager, found 31% of survey respondents in the U.S. experienced a data breach within the last 18 months, according to its 2022 password management survey. To avoid adding to that statistic, NordPass recommends choosing a complex password of at least 12 characters with a variety of upper and lowercase letters, symbols and numbers. A password generator is a helpful way to form these kinds of complex passwords.
You should also refrain from reusing a single password for multiple accounts, though the impulse is understandable — and common. The Bitwarden 2022 password management survey found more than 8 in 10 Americans reuse passwords across websites, with 49% of respondents saying they rely on memory to oversee their passwords.
Tomi Engdahl says:
Nation-state Hacking – What You Need to Know
A Word from the CEO
https://heimdalsecurity.com/blog/nation-state-hacking/
Tomi Engdahl says:
https://pentestmag.com/why-is-cybersecurity-so-important-in-the-online-gambling-industry/
Tomi Engdahl says:
https://www.cyberark.com/resources/threat-research-blog/what-i-learned-from-analyzing-a-caching-vulnerability-in-istio
Tomi Engdahl says:
https://www.uusiteknologia.fi/2022/12/21/kyberturvallisuuden-koulutuksen-vetovastuu-jyvaskylaan/
Tomi Engdahl says:
https://davistechmedia.com/can-you-crack-a-keepass-database-if-you-forgot-your-password/
Tomi Engdahl says:
Cyber attacks set to become ‘uninsurable’, says Zurich chief
https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d
There is growing concern among industry executives about large-scale strikes
The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow.
Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn.
Tomi Engdahl says:
Kyberturvallisuuskeskuksen ohjeet murretun salasanapalvelun
käyttäjille: näin suojaat tietosi
https://www.tivi.fi/uutiset/tv/7855d65e-30b4-406e-b5be-e94591a76108
Salasananhallintapalvelu LastPassiin on kohdistunut tietomurto, jonka tekijä sai haltuunsa käyttäjien arkaluontoisia tietoja. Iskussa käytettiin elokuussa varastettuja lähdekoodin osia sekä kehitysympäristön teknisiä tietoja, joiden avulla hyökkääjä pääsi murtautumaan LastPassin työntekijän tilille. Työntekijän tililtä vietiin varmenteita sekä avaimia, joiden avulla iskun tekijä pääsi käsiksi asiakkaiden varmuuskopioita varastoivaan pilveen. Lisäksi hyökkääjä tunkeutui salasanasäilöihin, mutta ei saanut käyttäjien salasanojen suojausta murrettua. Pääsalasanoja ei sen sijaan ole edes tallennettuna palveluun. Tästä huolimatta Kyberturvallisuuskeskuksen tietoturva-asiantuntija Olli Hönö kehottaa vaihtamaan LastPassiin tallennetut salasanat. Mikäli LastPassiin tallennettuja salasanoja on useita kymmeniä, Hönö neuvoo valikoimaan tärkeimmät salasanat ja vaihtamaan ainakin ne.
Tomi Engdahl says:
LastPass Breach – The danger of metadata https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/
When an organisation suffers a data breach its usually bad. When an organisation that stores 25 million peoples passwords thats really bad. There are multiple risks here at play. But the metadata this is terrible just on its own. Its shows who Ive worked/work with, it leaks internal URLs, public URls, it gives away intel on technology (e.g.
PHPMYADMIN) it leaks real IP addresses that Ive obscured using CDNs and proxies, it shows honeypots and other sites I interface with.
Expand this out to a million people, then expand it to 25 million people.
Tomi Engdahl says:
Google: With Cloud Comes APIs & Security Headaches https://www.darkreading.com/cloud/google-cloud-apis-security-headaches
Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. According to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots with 40% of companies suffering an incident due to misconfiguration and a third coping with the latter two issues.
Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but most companies greater than 60% discovered issues during the software development process, during application deployment, and by using real-time monitoring, according to the survey of more than 500 technology leaders. Despite these issues, more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions, says Vikas Anand, head of product for business application platforms at Google Cloud.
Tomi Engdahl says:
Omer Benjakob / Haaretz:
A look at Tel Aviv-based Toka, which helps governments, intelligence agencies, and law enforcement hack security cameras to alter live feeds and past recordings — Meet Toka, the Israeli cyber firm founded by Ehud Barak, that lets clients hack cameras and change their feeds – just like in Hollywood heist movies
This ‘Dystopian’ Cyber Firm Could Have Saved Mossad Assassins From Exposure
https://www.haaretz.com/israel-news/security-aviation/2022-12-26/ty-article-magazine/.highlight/this-dystopian-cyber-firm-could-have-saved-mossad-assassins-from-exposure/00000185-0bc6-d26d-a1b7-dbd739100000
Meet Toka, the Israeli cyber firm founded by Ehud Barak, that lets clients hack cameras and change their feeds – just like in Hollywood heist movies
On January 10, 2010, Hamas’ point man with the Iranians, Mahmoud al-Mabhouh, was assassinated in Dubai. A month later, the local police force stunned the world – and Israel – by painstakingly piecing together hours of closed-circuit TV footage. The videos were combed to trace the 30 Mossad assassins’ steps and reveal their faces.
Tomi Engdahl says:
CyberScoop:
Current and former CISA employees and sources detail an agency that lacks a clearly defined strategic direction and whose leadership seems more focused on PR
Insiders worry CISA is too distracted from critical cyber mission
https://www.cyberscoop.com/cisa-dhs-easterly-cyber-mission/
In the fall of 2018, they passed legislation
Republicans and Democrats praised the new Cybersecurity and Infrastructure Security Agency, which replaced the National Protection and Programs Directorate inside DHS. Rep. Michael McCaul, R-Tex., said it would “strengthen the security of federal networks and our nation’s critical infrastructure.” Rep. Jim Langevin, D-R.I., was another early booster of the new agency — and has been one of its most vocal champions.
But four years in, CISA appears to be struggling with internal divisions over the direction of the agency, morale problems and growing concerns about leadership priorities. CyberScoop spoke with 14 current and former CISA employees and 18 additional people familiar with CISA’s internal operations. Most described an agency that lacks a clearly defined strategic direction and often seems more focused on its public image than working on the nation’s thorniest cybersecurity problems.
Even Langevin, who is retiring from Congress next month after spending years promoting cybersecurity legislation, is frustrated. “There are a lot of things that the agency can and should do better,”
An organization struggling to find its way
People inside the organization, and those who recently left, complain that leadership hasn’t articulated priorities and often seems insulated from staff, leaving many to hear about agency initiatives via Twitter instead of from managers.
“Front-line employees would benefit from having a consistent directional strategy,”
He said that what’s absent from agency brass is direction on “clear outcomes or a clear understanding of what good looks like.” Without that, he said, employees can have “the perception that every new email will be just the flavor of the week and next week they’ll be on to something different.”
A current senior U.S. cyber official was more direct. “I don’t know what the CISA vision and agenda is internally from leadership,” the official said. “I think they do far more external communication than internal communication.”
The official highlighted that one of the agency’s key challenges lies in its inability to hire the right cyber talent, which has had significant negative downstream effects on other problems it faces. “Their hiring challenges significantly hurt their ability to execute their mission,” the official said.
CISA has particularly struggled to hire highly skilled technical talent. A CISA blog post from June said the agency had nearly 150 open cybersecurity positions it sought to fill.
Nearly all of those interviewed acknowledged the agency has plenty of existential challenges such as a vast DHS bureaucracy and a difficult mission due to the sheer number of U.S. entities needing cybersecurity assistance
Still, many said there’s a growing perception inside — and outside — CISA that an over emphasis on carefully managing and promoting Director Jen Easterly’s brand is taking precedence over more critical matters. Easterly is a staple at industry gatherings such as the RSA Conference, DEF CON and CYBERWARCON as well as at corporate speaking events such as the Mandiant mWise conference, a recent Google panel and another on the floor of the New York Stock Exchange.
“The day-to-day effect of Jen’s branding push is that it hurts the work and mission execution,” a former CISA official said. “It’s not what the staff want … They want the focus to be about the work, not about one person.”
Easterly defended her focus on external relations in a statement to CyberScoop.
“CISA is fundamentally a partnership agency; our ability to effectively protect and defend the critical infrastructure Americans rely on every day — much of which is owned by the private sector — is dependent on our ability to develop trust with our partners,” the statement said. “People don’t trust institutions; they trust people.”
The technical community is always unhappy because they feel like the spotlight should be on them,” he said. “They’re the true guardians of cybersecurity … . She’s actually got a good technical background. So, to say there’s a complaint from the technical community it’s like, ‘So what else is new?’ You’re never going to be happy because the person they want doesn’t exist. They want someone who has executive experience and a great public persona, but also happens to be an uber-geek and uber-geeks don’t come with great leadership skills and great public skills.”
Many CISA employees said they wouldn’t take issue with Easterly’s PR focus if there was less discontent inside the agency. For example, the mood at CISA virtual town halls is such a concern that questions are typically limited ahead of time. As a result, some staffers have taken to asking Easterly hostile questions left anonymously in the town hall Zoom chat. After Easterly told CISA staff they would be held accountable for their work in one such virtual meeting, an employee went to the chat to ask how leadership is being held accountable. Easterly told the anonymous staffer, “If you don’t like it here, you can leave,” according to someone in the meeting.
Easterly did inherit plenty of problems. She is charged with running an agency that needs more in-house technical talent and therefore relies on a significant number of contractors. A former senior CISA official who now works with the agency on behalf of industry said contractors are often left struggling to understand what CISA wants. “It’s almost impossible to work for them and everyone in the industry knows it,” the person told CyberScoop. “Our biggest frustration is that they don’t communicate with contractors. Congress is throwing [money] at them and it’s not clear what they’re doing with it.”
“What often happens is that individual teams manage their own infrastructure,” the source said. “That’s a [spending] problem, but it’s also a security problem because it means there is no central place for oversight to happen.”
Other CISA staff and observers said the agency sometimes prematurely stands up or rebrands existing initiatives. CISA’s Joint Cyber Defense Collaborative is a good example of an initiative the agency rebranded with mixed results, according to multiple sources, including two who partner with JCDC.
A CISA spokesperson sent CyberScoop a blog post Easterly wrote about the JCDC in September. The post highlights CISA’s work on Log4Shell
“None of us share anything anymore,” one of the JCDC technical partners said. “It turned out that we were just broadcasting to a channel of lawyers.”
The JCDC technical partner also said that security researchers, industry and others collaborate on an “operational” Slack platform that does not currently have much traffic.
In general, many critics say CISA is focusing too much energy on building alliances with major industry players and large corporate partners. The relationships are often one-sided
often aren’t sharing significant information with CISA about current threats.
Tomi Engdahl says:
Dhruv Mehrotra / Wired:
A look at Flipper Zero, a $200 portable security penetration testing device for hackers to intercept and replay signals from IoT sensors, garage doors, and more
Hands On With Flipper Zero, the Hacker Tool Blowing Up on TikTok
Don’t be fooled by its fun name and Tamagotchi-like interface—this do-everything gadget is trouble waiting to happen and a whole lot more.
https://www.wired.com/story/what-is-flipper-zero-tiktok/
Tomi Engdahl says:
A Defense Playbook for Diffusing CCTV Cybersecurity Threats
As long as IoT and CCTV devices can be hacked, the danger is present. Here’s how to tackle threats.
https://www.spiceworks.com/it-security/cyber-risk-management/guest-article/playbook-for-diffusing-cctv-cybersecurity-threats/
In the eternal battle against cyber criminals, every technological advance comes with fresh new avenues for cybercriminals to ply their trade. Camellia Chan, CEO and founder of X-PHY, looks closely at CCTV cybersecurity threats and how vulnerabilities can be better protected.
It can be especially vexing when criminals turn our own security technologies against us, as they are doing in closed circuit television (CCTV), IoT, and other video security devices. In 2021, a hacker collective gained access to 149,000 security camera footage in their invasion of cloud video security startup Verkada’s systems. In June and September of this year, groups of Iranian dissidents hacked thousands
Opens a new window of Iranian surveillance cameras in two separate attacks, both motivated by political dissent. Hackers do not stop at making political statements. They also target smaller stakes CCTV sources to steal identities or stalk victims, targeting ATMs, residential doorbell cameras, or traffic cameras. Let’s look at the vulnerabilities of CCTV threats and how we can counter them to keep our finances, identities, and ourselves safe.
CCTVs are Everywhere, and So Are Vulnerabilities
As far as IoT and CCTV devices can be hacked, accessed, watched and acted upon, the danger is present. Hackers have easy access to home security and can monitor the coming and going causing invasion of privacy which can result to burglaries, robberies, stalking etc. Retail stores, banks, and other CCTV business breaches can lead to stolen identities, bank accounts, or credit card numbers. Cybercriminals are matching security experts in the sophisticated ‘arms race.’ Similar to how law enforcement uses CCTV footage to identify criminals, cybercriminals can do the same with stolen footage.
Today, many cameras are equipped with facial recognition technology. If cybercriminals hack into the server that stores and analyses video footage using such tech, they can gain unfettered access to your identity and any other stored data. The Verdaka hack exposed video footage of scores of businesses, including Equinox gyms, Tesla, various banks, schools, and jails. On an even larger scale, CCTVs offer another channel into which hacktivists, rival governments, and terrorists can foist potentially catastrophic threats to corporate or national security in accessing video within military bases or other institutions.
Hackers Find CCTV Security Exposures through Hardware and Software
Physical Security and Cybersecurity Teams Combine Forces to Battle CCTV Hackers
Like most cybersecurity threats, most CCTV intrusions are preventable. The rapid growth of connected devices means that it takes the whole village to secure our data. Everybody from the manufacturer to the end user and cybersecurity teams to vendors must do their part to maintain the devices’ integrity. Organizations’ physical security teams should collaborate closely with CISOs and internal cybersecurity teams to create a united and holistic front to stave off such attacks. Many criminal incursions result from preventable errors in fundamental best practices, such as not changing the factory set password upon setup, using the same password for all devices, connecting to a poorly protected network, or a lack of dynamic authentication or unencrypted video protocols to access the live stream of stored footage.
Cyber Hygiene At Home to Protect Doorbells and Security Cameras
Cameras are everywhere to protect us against crime, yet cybercriminals are using our own security programs to their advantage. At home, people with security camera systems such as Ring or SimpliSafe should practice simple cyber hygiene techniques that prevent most breaches, starting with ensuring the device they buy is from a reputable source and manufacturer. In 2021, Consumer Reports
Opens a new window found that four of the 13 video doorbells/home security cameras had vulnerabilities, exposing their owners to hacking and leaks of personal data, including email addresses and Wi-Fi passwords. Upon setting up the device, you should always change the default password, use complex passwords that are harder to crack and change the passwords regularly.
Don’t Underestimate Cybersecurity Education
The National CyberSecurity Alliance
Opens a new window (NCA) reported that in 2022, only thirty-six percent of people reported that they changed their passwords every few months, with 29% saying they do not change them unless they are forced to do so. For organizations, minimizing human interaction is key to reducing the possibility of human error in allowing hackers into the system through phishing attacks or social engineering attacks. But companies should not underestimate the necessity for cybersecurity awareness and education.
The NCA revealed that more than half (58%) of the participants who had received training said they were better at recognizing phishing messages, while 45% had started using strong and separate passwords. On the technology side, cybersecurity teams should take proactive measures to fortify hardware-based cybersecurity measures, adopting zero-trust frameworks. Additionally, they should implement regular patching, compromise assessments, red teaming, and penetration testing, in which a security expert like the one who exposed the SpaceX issue — aka an ethical hacker — is enlisted to execute a simulated attack on the CCTV system.
CISOs, Device Manufacturers, and the US Combine Efforts to Secure IoT and CCTV Cameras
CISO and individual vigilance via procedures and education can offer stout protection against threats, but the securing of IoT and CCTV devices is undoubtedly a challenging undertaking, with numerous internet-facing touchpoints of potential exposure across hardware, software, and humans.
Manufacturers also need to step up their hardware and firmware security game. The White House is working with private sector businesses, associations and government partners on a plan for a labeling system to rate the cyber resilience of Internet of Things (IoT) devices
Opens a new window which will be similar to the appliance Energy Star rating system. While it’s impossible to thwart all cyber threats, we would be foolish not to take every precaution available to make life harder for the bad actors seeking to invade our privacy.
Tomi Engdahl says:
The metaverse ushers in a new era of cyber threats
https://www.securitymagazine.com/articles/98571-the-metaverse-ushers-in-a-new-era-of-cyber-threats
The reality of the metaverse, where builders aim to create a shared, immersive and interactive digital world that combines virtual reality (VR) and augmented reality (AR) with avatars, digital twins and Internet of Things (IoT) devices, is only a few years away. With all the chatter about the metaverse, many are beginning to get an idea of what it might look like, but few understand the infrastructure behind its technology.
It would be unwise to assume that the cybersecurity threat landscape of Web3 will be simply a continuation of today’s common Web2 threats. The next-level complexity of hardware and software technologies that will make up the metaverse introduces countless attack surfaces and cybersecurity challenges. Here are few unique security concerns that the metaverse presents and how security leaders will need to reorient their approach to stay ahead of the next generation cyberattacker.
he metaverse’s near-infinite attack surface
The metaverse ecosystem has a wide attack surface made up of software, hardware and communication channels. Web3 will be all about greater user interaction, and that will mean more user data will be collected. Data can be acquired through AR/VR devices, sensors, cameras and other devices that are connected to the internet. Data can be stored in the metaverse in many ways, such as on servers, in databases on edge, fog or cloud-computing platforms. This is an enormous amount of potentially vulnerable user data, and cybercriminals will follow the money.
Compromised devices pose new threats
While the metaverse is still vulnerable to the same threats of today’s Web2, the nature of its immersive and interactive technology adds identity and privacy threats. Rogue or compromised end-user devices present a significant risk of data breaches and malware invasions targeting the user’s monetary assets. In the Web3 world, the user’s identity goes well beyond a character’s avatar, including their private keys for cryptocurrencies, bank details, social relationships, and even images of their digital life history. Since NFTs could soon be used for various forms of identification, from insurance policy documentation and drivers’ licenses to event tickets, the loss or modification of any of these items can could constitute identity theft.
Identity theft on a whole new level
Interacting with an avatar in Web3 requires pervasive user profiling activities using multiple dimensions and high granularity for facial expressions, eye/hand movements, speech, biometric features and even brain wave patterns. Attackers can impersonate victims in the metaverse by exploiting the behavioral and biological data gathered by AR/VR devices to create a fake avatar for criminal use. Cybercriminals can inject erroneous data into the acquisition stream generated by wearable devices and use it to launch social engineering or other malicious applications.
Getting physical with cybersecurity strategies to secure the metaverse
There are practical measures that the security industry and individuals can and should take sooner than later to get ahead of securing the metaverse. Organizations should not only have software protection in place to secure their data, but also add robust defenses on hardware devices and communication channels to protect against identity theft and physical harm. Business and tech leaders entering the Web3 space in any manner should be relentless about education and awareness, since preventing human error can help reduce cybersecurity incidents.
Tomi Engdahl says:
https://x-phy.com/wp-content/uploads/art-and-science-of-building-cyber-security.pdf
Cyber Defense eMagazine – November 2022 Edition 111
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
More devices + more tech + more data = more cybercrime
Accenture reported in 2021 a 125% year-over-year jump in cybersecurity incidents. Despite growing
awareness and a wide variety of more advanced tech tools, the criminals are stealing more every year,
costing an estimated $3 trillion annually. More devices, more data, and more remote workers mean more
opportunities for cybercrime, the most prevalent of which are malware, ransomware, social engineering,
and distributed denial-of-service (DDoS) attacks. Bad actors are expert at zeroing in on the smallest
security gaps, exploiting vulnerabilities in identity threat detection, endpoint protection, cloud-based
supply chain, and socially engineering attacks that prey on employees with poor cyber hygiene.
With every business function having multiple tech solutions working simultaneously, IT and security
leaders can understandably feel overwhelmed by integrating a cyber tech stack into 50 or 100 other
software tools. A typical midsized organization employs somewhere between 10-15 solutions in its
cybersecurity tech stack. The first step is realizing there is no one size fit all security stack. CISOs must
carefully choose offerings and configurations that address both their specific needs and the gaps in their
cybersecurity systems.
Mind the gaps in building a cybersecurity tech stack
With thousands of products and just as many vendors in the market the process can easily get out of
hand if not approached from an organization-first perspective. A typical cybersecurity tech stack may
include solutions for network infrastructure, identity and access management, endpoint, application,
threat intelligence, and more. The cybersecurity chief should collaborate with management across
departments to make sure the security program aligns with business objectives. Business leaders who
view cybersecurity as a reactive cost-center are ignoring considerable business benefits that data
security brings, from cultivating customer trust to creating better employee user experience. The security
leader should build a risk profile that includes budget, manpower and technology knowledge. A detailed
risk profile checklist identifies threats and vulnerabilities to determine the probability of an exploitation
and the resulting impact on the organization.
Armed with this assessment, the CISO can select software solutions that address the specific gaps within
existing systems. The company can design a cybersecurity infrastructure which will be multi-layered and
diversified, addressing risks across the enterprise from physical hardware and internal software to
external vendors and the network perimeter.
Cyber Defense eMagazine – November 2022 Edition 112
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
F
Avoid tech Jenga with the right stack
Companies should avoid using multiple layers of one form of protection. They should diversify them
across the system to provide a more holistic barricade against cyber threats, securing each layer of the
system, one on top of the other. Single layer solutions are no longer adequate to protect against
cybercriminals. Too many organizations are still relying solely on reactive, software-based defenses
instead of a comprehensive multi-layer approach that includes the often-neglected hardware and
firmware layer.
However, the most fortified cybersecurity tech stack in the world
will not thwart all threats, since human behavior accounts for over 80% of incidents. Phishing and other
forms of social engineering attacks are the most common threat vectors, making a comprehensive
education and awareness program an absolute necessity in securing an organization’s data.
Stacking the deck against cybercrime
As the sheer volume of data and digital transformation continues expanding, so do our vulnerabilities.
Most business leaders now recognize the necessity of cybersecurity vigilance, since cyber-attacks at
best cause lower profit margins and at worst can prove catastrophic. While developing a powerful cyber
defense tech stack has become essential, leaders must not only focus on the technology but also people,
strategy, plans, and training.
Tomi Engdahl says:
https://hackaday.com/2022/12/23/this-week-in-security-github-actions-sha-1-retirement-and-a-self-worming-vulnerability/
Your Tires Are Leaking (Data)
Back a few years ago, [Mike Metzger] gave a DEFCON talk about TPMS, Tire Pressure Monitoring Systems. This nifty safety feature allows sensors in car tires to talk to the infotainment center, and warn when a tire is low. [Drew Griess] decided to follow up on this bit of info, and see just how practical it would be to use and abuse these gizmos.
An RTL_SDR and the very useful rtl_433 project do the job quite nicely. Add an antenna, and the signals are readable over fifty feet away. It really becomes interesting when you realize that each of those sensors have a unique ID sent in each ping. Need to track a vehicle? Just follow its tires!
Your Car is Trackable by Law
TPMS Tracking
Today I learned how to read the unique ID of a tire pressure sensor which can be used to track vehicles using a sensor network.
https://medium.com/@doctoreww/day-2-your-car-is-trackable-by-law-1d5f74388850
Tomi Engdahl says:
https://hackaday.com/2022/12/23/this-week-in-security-github-actions-sha-1-retirement-and-a-self-worming-vulnerability/
OpenAI, Security Researcher
One of the tedious bits of reverse engineering is to work through the various functions, guess their purpose, and rename everything to something useful. If only there was a way to automate the process. Enter Gepetto, a project from [Ivan Kwiatkowski], that asks OpenAI’s Davinci-003 model to describe what a decompiled function does. It’s packaged as an IDA Pro plugin, but the concept should apply to other decompilers, too. Step two is to fold that description back into the AI model, and ask it to name the function and variables. The normal warning applies — the AI chat engine will always generate a description that sounds good, but it may be wildly inaccurate.
https://github.com/JusticeRage/Gepetto
Tomi Engdahl says:
https://hackaday.com/2022/12/23/this-week-in-security-github-actions-sha-1-retirement-and-a-self-worming-vulnerability/
Sovrin and Decentralized Vulnerabilities
The folks at CyberArk took a look at the Decentralized IDentity (DID) landscape, and found a spectacularly bad vulnerability in the open source Sovrin network. So first, DID is an attempt to do something genuinely useful on the blockchain, in this case storing identity information. Want to prove that your WordPress account is owned by the same person as your Twitter or Mastodon account? DID can help. The version of this idea that really gets our open source juices flowing is Self-Sovereign Identity, a DID network that allows the end users to have ultimate control over their own data. And for all that goodness, the network is still made up of servers running potentially vulnerable code. The POOL_UPDGRADE command is limited to authorized administrators of the given pool, but the code behind it uses a validate-then-authenticate paradigm.
https://www.cyberark.com/resources/threat-research-blog/decentralized-identity-attack-surface-part-1
https://www.cyberark.com/resources/threat-research-blog/decentralized-identity-attack-surface-part-2
Tomi Engdahl says:
Haleluya Hadero / Associated Press:
The $1.7T US funding package included the INFORM Act, forcing Amazon, Meta, and others to verify prolific sellers to combat counterfeit and dangerous goods
Funding bill targets online sites amid retail theft concerns
https://apnews.com/article/technology-business-amazoncom-inc-theft-ce7311fce4db1bcf479c960049bb47e6
Retailers are scoring one win in the governmentwide spending bill, which will force online marketplaces like Amazon and Facebook to verify high-volume sellers on their platforms amid heightened concerns about retail crime.
Tucked in the $1.7 trillion funding package lies a piece of legislation brick-and-mortar retailers have been pushing Congress to pass for more than a year, part of an effort to tamp down the amount of goods being stolen from their stores and resold online.
The bill, called the INFORM ACT, also seeks to combat sales of counterfeit goods and dangerous products by compelling online marketplaces to verify different types of information – including bank account, tax ID and contact details – for sellers who make at least 200 unique sales and earn a minimum of $5,000 in a given year.
It’s difficult to parse out how much money retailers are losing due to organized retail crime – or if the problem has substantially increased. But the issue has received more notice in the past few years as high-profile smash-and-grab retail thefts and mass shoplifting events grabbed national attention.
Target executives said in November the number of thefts has gone up more than 50%, resulting in more than $400 million in losses. Its expected to be more than $600 million for the full fiscal year.
And in an interview with CNBC earlier this month, Walmart CEO Doug McMillon noted that theft at Walmart was higher than it has historically been, and could lead to higher prices and store closures if it persists.
the chains are fighting increased costs from higher levels of organized crime, and they’ve had to double the security guards at stores from a year ago
a 26.5% uptick in organized theft incidents last year.
The funding package that contains the bill seeking to tame the problem was passed by the U.S. House on Friday. It now goes to President Joe Biden to be signed into law.
FILE – In this Dec. 12, 2016, photo, a person searches the internet for sales, in Miami. Retailers are scoring one win in the government-wide spending bill. The $1.7 trillion funding package contains legislation that will force online marketplaces like Amazon and Facebook to verify high-volume sellers amid heightened concerns about retail theft. Brick-and-mortar retailers have been voicing concerns about the amount of goods being stolen from their stores and subsequently sold online. (AP Photo/Wilfredo Lee, File)
FILE – In this Dec. 12, 2016, photo, a person searches the internet for sales, in Miami. Retailers are scoring one win in the government-wide spending bill. The $1.7 trillion funding package contains legislation that will force online marketplaces like Amazon and Facebook to verify high-volume sellers amid heightened concerns about retail theft. Brick-and-mortar retailers have been voicing concerns about the amount of goods being stolen from their stores and subsequently sold online. (AP Photo/Wilfredo Lee, File)
Retailers are scoring one win in the governmentwide spending bill, which will force online marketplaces like Amazon and Facebook to verify high-volume sellers on their platforms amid heightened concerns about retail crime.
Tucked in the $1.7 trillion funding package lies a piece of legislation brick-and-mortar retailers have been pushing Congress to pass for more than a year, part of an effort to tamp down the amount of goods being stolen from their stores and resold online.
The bill, called the INFORM ACT, also seeks to combat sales of counterfeit goods and dangerous products by compelling online marketplaces to verify different types of information – including bank account, tax ID and contact details – for sellers who make at least 200 unique sales and earn a minimum of $5,000 in a given year.
It’s difficult to parse out how much money retailers are losing due to organized retail crime – or if the problem has substantially increased. But the issue has received more notice in the past few years as high-profile smash-and-grab retail thefts and mass shoplifting events grabbed national attention. Some retailers have also said in recent weeks they’re seeing more items being taken from stores.
Technology
EXPLAINER: 2023 tax credits for EVs will boost their appeal
Judge kept FTX execs’ plea deals secret to get founder to US
Facebook parent Meta will pay $725M to settle user data case
FTX founder Bankman-Fried allowed $250M bond, house arrest
ADVERTISEMENT
Target executives said in November the number of thefts has gone up more than 50%, resulting in more than $400 million in losses. Its expected to be more than $600 million for the full fiscal year.
And in an interview with CNBC earlier this month, Walmart CEO Doug McMillon noted that theft at Walmart was higher than it has historically been, and could lead to higher prices and store closures if it persists.
Meanwhile, Joe Parisi, president and chief operating officer of New York City’s grocery chains D’Agostino’s and Gristedes, said the chains are fighting increased costs from higher levels of organized crime, and they’ve had to double the security guards at stores from a year ago. Walgreens, Best Buy and Home Depot have also pointed out similar problems.
The National Retail Federation, the nation’s largest retail trade group, said its latest security survey of roughly 60 retailers found that inventory loss – called shrink – clocked in at an average rate of 1.4% last year, representing $94.5 billion in losses.
ADVERTISEMENT
Shrink measures losses from sources other than external theft, including theft by employees and product damage. The greatest portion of shrink – 37% – came from external theft, including products taken during organized shoplifting events, the trade group said. It also noted retailers, on average, saw a 26.5% uptick in organized theft incidents last year.
The funding package that contains the bill seeking to tame the problem was passed by the U.S. House on Friday. It now goes to President Joe Biden to be signed into law.
Amazon, Ebay and Etsy had initially opposed the verification bill, saying it would damage seller privacy and favor brick-and-mortar retailers over their online competitors. The online marketplaces later threw their support behind the legislation after some changes, including modifications to limit the amount of sellers who disclose their contact information to customers to those making $20,000 or more in annual revenue.
ADVERTISEMENT
Under the bill, customers can get a hold of a seller’s name, phone number, email and physical address, with certain exceptions to protect merchants who sell goods out of their homes. The bill says sellers don’t have to disclose their personal address or phone number, provided they respond to customer questions over email or other forms of online messaging provided by the marketplace.
Tomi Engdahl says:
Kiristyshaittaohjelmat ovat nyt yleisin kyberuhka Haavoittuvuuksien korjaaminen hämmästyttävän hidasta
https://www.kauppalehti.fi/uutiset/kiristyshaittaohjelmat-ovat-nyt-yleisin-kyberuhka-haavoittuvuuksien-korjaaminen-hammastyttavan-hidasta/8b6ec167-bc94-4729-a714-7d9216aa9c92
Kiristyshaittaohjelmilla tehdyt iskut ovat Pohjoismaissa kasvaneet hurjalla vauhdilla. Vuotta aiempaan on lisäystä tapahtunut peräti 138 prosenttia. Samalla juuri kiristyshaittaohjelmat ovat kaikkein yleisin kyberturvallisuusuhka. Nämä seikat käyvät ilmi tietoturvaan erikoistuneen Orange Cyberdefensen tuoreesta selvityksestä.
Selvityksessä on käyty läpi vajaat 100 000 potentiaalista tietoturvaloukkausta, jotka yhtiön tietoturvavalvomoissa on havaittu eri puolilla maailmaa. Uusimman selvityksen mukaan havaittujen tietoturvaloukkausten määrä kasvoi viisi prosenttia vuotta aiemmasta.
Organisaatioiden tietoturvassa näkyy kuitenkin merkkejä parantumisesta ja uhkia on pystytty torjumaan aiempaa onnistuneemmin.
Tomi Engdahl says:
Facebook to Pay $725 Million to settle Lawsuit Over Cambridge Analytica Data Leak https://thehackernews.com/2022/12/facebook-to-pay-725-million-to-settle.html
Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has agreed to pay $725 million to settle a long-running class-action lawsuit filed in 2018. The legal dispute sprang up in response to revelations that the social media giant allowed third-party apps such as those used by Cambridge Analytica to access users’ personal information without their consent for political advertising. The proposed settlement, first reported by Reuters last week, is the latest penalty paid by the company in the wake of a number of privacy mishaps through the years. It still requires the approval of a federal judge in the San Francisco division of the U.S.
District Court.
Tomi Engdahl says:
TikTok banned from House of Representatives devices https://therecord.media/tiktok-banned-from-house-of-representatives-devices/
TikTok will be banned from all devices managed by the House of Representatives, the chambers Chief Administrative Office announced Tuesday. The agencys Office of Cybersecurity has deemed The TikTok mobile application to be a high risk to users due to a number of security risks, the CAO said in an email. Staffers are NOT allowed to download the TikTok app on any House mobile devices and the app is NOT allowed on House mobile devices, the message stated.
Tomi Engdahl says:
Matt Burgess / Wired:
2022 saw the re-emergence of hacktivism on a large scale, with some new tactics and approaches blurring the lines between hacktivism and state-sponsored attacks — Throughout 2022, geopolitics has given rise to a new wave of politically motivated attacks with an undercurrent of state-sponsored meddling.
Hacktivism Is Back and Messier Than Ever
https://www.wired.com/story/hacktivism-russia-ukraine-ddos/
Throughout 2022, geopolitics has given rise to a new wave of politically motivated attacks with an undercurrent of state-sponsored meddling.
DURING ITS BRUTAL war in Ukraine, Russian troops have burnt cities to the ground, raped and tortured civilians, and committed scores of potential war crimes. On November 23, lawmakers across Europe overwhelmingly labeled Russia a “state sponsor” of terrorism and called for ties with the country to be reduced further. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.
Following years of sporadic hacktivist activity, 2022 has seen the re-emergence of hacktivism on a large scale. Russia’s full-scale invasion of Ukraine spawned scores of hacktivist groups on both sides of the conflict, while in Iran and Israel, so-called hacktivist groups are launching increasingly destructive attacks. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.
“I’m not going to say that hacktivism was dying, but it was definitely withering for some time,”
Russia’s invasion of Ukraine in February prompted a surge in hacktivism activity. Legacy hacktivist collective Anonymous was revitalized, but new groups were also formed. Ukraine’s unprecedented IT Army, a volunteer group of hackers from around the world, has continuously launched DDoS attacks against Russian targets that are outlined in its Telegram group. In June, a speech by Vladimir Putin was delayed after a cyberattack. Other hacktivist-linked groups have run huge hack-and-leak operations against Russian entities, resulting in hundreds of gigabytes of data from Russia being published online.
On the other side of the conflict, there are four main pro-Russian hacktivist groups, says Sergey Shykevich, threat intelligence group manager at security firm Check Point. These are: Killnet, NoName 057, From Russia With Love, and XakNet. Killnet is probably the most active of these groups, Shykevich says. “Since April, they have targeted around 650 targets—only about 5 percent of them were Ukraine.” Its targets, like the European Parliament, have largely been countries that oppose Russia. The group, which mostly uses DDoS attacks, is proactive on Telegram, media friendly, and appeals to Russian speakers.
DDoS attacks still have an outsize place within modern hacktivism. An FBI notification, issued in early November, says those behind DDoS attacks have “minimal operational impact” on their victims. “Hacktivists often select targets perceived to have a greater perceived impact rather than an actual disruption of operations,” the FBI said. In other words: The bark is often worse than the bite.
Erica Lonergan, a research scholar at the Saltzman Institute of War and Peace Studies at Columbia University, says the impact of DDoS attacks is often overstated. Media reports can overemphasize the impact of DDoS, making it sound more severe than it is. “There’s this gap between the hyperbole of the language that’s used to talk about the types of attacks that these groups like Killnet are engaged in, and then the reality of their impact,” Lonergan says.
But it isn’t all DDoS. In South America, the Guacamaya hacktivist group claims to have hacked mining companies and leaked their internal emails. The politically motivated Belarusian Cyber Partisans, which formed in 2020 following Alexander Lukashenko’s election, has innovated as it disrupts Russian and Belarusian efforts linked to the war. The highly organized group became the first to use ransomware for purely political objectives. It has also claimed to have taken data from Russian government organizations and mapped the data of government officials who have backed Lukashenko’s regime.
Guerrero-Saade says the Cyber Partisans are part of a new style of hacktivists that use targeted sabotage and disruption.
Working out who is behind a cyberattack of any kind is always complex and difficult for organizations to do—attackers often try to disguise their activity or hide it from view. However, there is evidence some hacktivists are linked to individual countries. Researchers suspect Predatory Sparrow is linked to a government, for instance. Meanwhile, security firm Mandiant believes that the pro-Russian groups XakNet, Infoccentr, and Cyber Army of Russia all coordinate their operations with Russia’s GRU military hackers. The Cyber Army of Russia launched DDoS attacks against US organizations around the November midterm elections, with XakNet and KillNet also trying to influence the elections, Mandiant claims.
“They can be used in witting and unwitting ways by governments for political purposes,” Lonergan says. “Killnet for example, on the Russian side, has been pretty explicit in its Telegram channels of disavowing direct links with Moscow. But at the same time, they follow the implicit rules of the road of Russian cyber proxy groups.” Russian cybercrime groups rarely attack Russian targets, and the Kremlin has largely turned a blind eye to them.
The result is that while hacktivist groups are becoming more sophisticated and testing new tools, there’s increasing uncertainty about their origins. “There will be more hacktivism groups that will be more affiliated with governments,” Shykevich says. “Generally, this year the lines between what is governmental attack, hacktivism, and cybercrime have completely blurred.”
Tomi Engdahl says:
It’s all in the (lack of) details: 2022’s badly handled data breaches
https://techcrunch.com/2022/12/27/badly-handled-data-breaches-2022/
Tomi Engdahl says:
Cyber attacks set to become ‘uninsurable’, says Zurich chief
There is growing concern among industry executives about large-scale strikes
https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d
The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow.
Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn.
But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch.
“What will become uninsurable is going to be cyber,” he said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?”
Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives.
Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: “First off, there must be a perception that this is not just data . . . this is about civilisation. These people can severely disrupt our lives.”
Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses.
There are exemptions written into policies for certain types of attacks.
the policy excluded a “warlike action”
In September, Lloyd’s of London defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks.
But the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught, and cyber experts have warned that rising prices and bigger exceptions could put off people buying any protection.
Greco said there was a limit to how much the private sector can absorb, in terms of underwriting all the losses coming from cyber attacks. He called on governments to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks”.
In September, the US government called for views on whether a federal insurance response to cyber was warranted
Tomi Engdahl says:
https://www.dna.fi/yrityksille/blogi/-/blogs/suomi-ei-ole-lintukoto-kyberturvallisuuden-saralla-on-naiivia-ajatella-etta-meidan-ei-tarvitsisi-varautua-ja-harjoitella
Tomi Engdahl says:
Google Chrome preparing an option to block insecure HTTP downloads
https://9to5google.com/2022/12/28/chrome-block-insecure-http-downloads/
As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP.
While it used to be the case that only privacy-sensitive websites like banks needed to be secured with HTTPS encryption, these days it’s effectively become the default, especially as more websites handle our data on a daily basis. Over the last few years, Google has been adding new protections to Chrome to help encourage the use of HTTPS connections wherever possible.
Most notably, the browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome also, by default, blocks secure websites from using insecure web forms or offering insecure downloads. This combination of secure and insecure elements is called “mixed content.”
More recently, the company created a toggle in Chrome’s security settings to “Always use secure connections.” Enabling this tells Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue.
Tomi Engdahl says:
https://therecord.media/how-vx-underground-is-building-a-hackers-dream-library/
Tomi Engdahl says:
https://www.cyberciti.biz/faq/understanding-bash-fork-bomb/
Tomi Engdahl says:
Log4Shell Still Has Sting In The Tail The cyber-vulnerability mounts a quiet comeback as organizations grow complacent
https://spectrum.ieee.org/log4shell-log4j-still-stings