Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Jokaiseen yritykseen hyökätään 7 kertaa tunnissa
https://etn.fi/index.php/13-news/14912-jokaiseen-yritykseen-hyoekaetaeaen-7-kertaa-tunnissa
Tietoturvayhtiö Check Point on raportoivat vuoden ensimmäisen neljänneksen kehityksen kyberhyökkäysten määrässä. Globaalisti hyökkäysten määrä kasvoi vuodentakaisesta seitsemän prosenttia. Jokainen organisaatio kohtasi keskimäärin 1248 hyökkäystä viikossa eli 178 kertaa päivässä.
Tomi Engdahl says:
Satori Releases Open Source Data Permissions Scanner for Enterprises
https://www.securityweek.com/satori-releases-open-source-data-permissions-scanner-for-enterprises/
Data security firm Satori has released a free and open source tool designed to help organizations find out who has access to what data and how.
Data security firm Satori announced on Thursday the release of a free and open source tool designed to help organizations easily determine who has access to what data and how, enabling them to reduce the risks associated with unauthorized or over-privileged users.
The new Universal Data Permissions Scanner provides visibility into data access permissions across various data stores. It can scan databases, data lakes, data warehouses, and cloud accounts, analyzing permission models in an effort to generate a human-readable list of users and their access level to cloud storage buckets, database tables, and files.
The free tool currently supports Snowflake, Databricks, Amazon S3, Amazon Redshift, Google BigQuery and MongoDB, but new data stores can be added.
“DevOps and data engineers are often tasked with managing the security of the databases, data lakes or warehouses they operate. This usually involves setting permissions to enable users to query the data they need. However, as the number of users and use-cases increase, complexity explodes. It’s no longer humanly possible to remember who had access to what, how and why, which makes meeting security and compliance requirements impossible,” Satori explained.
In addition to the open source version of Universal Data Permissions Scanner, which provides a command-line interface, Satori is offering a fully managed SaaS solution that conducts periodical scans.
https://github.com/SatoriCyber/universal-data-permissions-scanner
Tomi Engdahl says:
Microsoft Expands AI Access to Public
https://www.securityweek.com/microsoft-expands-ai-access-to-public/
Microsoft expanded public access to its generative artificial intelligence programs, despite fears that tech firms are rushing ahead too quickly with potentially dangerous technology.
Microsoft on Thursday expanded public access to its generative artificial intelligence programs, despite fears that tech firms are rushing ahead too quickly with potentially dangerous technology.
The AI-enhanced features of the company’s Bing search engine and Edge internet browser are now open for anyone to use, Yusuf Mehdi, corporate vice president, said in a blog post.
“This means that it will now be easier than ever for everyone to try the new Bing and Edge by simply signing into Bing with your Microsoft Account,” Mehdi said.
The services have been enhanced with the ability to work with images as well as text, and Microsoft intends to add video to the mix, according to the executive.
Tomi Engdahl says:
Using Threat Intelligence to Get Smarter About Ransomware
https://www.securityweek.com/using-threat-intelligence-to-get-smarter-about-ransomware/
Given the crippling effects ransomware has had and indications that these types of attacks aren’t slowing down, it makes sense to look to threat intelligence to help.
Ransomware is rampant. On any given day you can visit your “go to” cybersecurity news source and read about another successful attack or a new malware variant. In fact, research by Proofpoint (PDF) finds that 76% of organizations experienced an attempted ransomware attack in 2022 and 64% were compromised. As a result, ransomware has become top mind for security and IT teams as they manage their threat intelligence strategies.
But how do you go from strategy to execution, from thinking “we need to use threat intelligence to help us thwart ransomware attacks” to making that happen?
As enterprises realize that compromises are inevitable, security operations centers (SOCs) are transforming into detection and response organizations. The end game now is to mitigate risk, and the sooner and better we understand threat actors – their motivations, targets and methods – the more effective we can be at reducing exposure. However, when only 35% of respondents to Mandiant’s Global Perspectives on Threat Intelligence report (PDF) say they have a comprehensive level of understanding about different threat groups and their tools, techniques and procedures (TTPs), we have a problem.
When it comes to dealing with ransomware, the key is to detect activity before the payload has run. Because after that, it may be too late. This is why threat intelligence has become so important; so, a company can understand what is happening externally to better anticipate and protect internally. Companies need to analyze the right data to anticipate these types of attacks and, if an attack is in progress, act on that intelligence to proactively stop threat actors before they execute the payload. Let’s take a closer look.
Tomi Engdahl says:
Passkeys Are Here
https://hackaday.com/2023/05/05/this-week-in-security-oracle-opera-passkeys-and-airtag-rfc/
In case you missed the hype, passwords are dead, apparently. The replacement is the Passkey, a public/private keypair that is managed by the security processor on the user’s device. What’s new this week is yet another big service rolling out support for Passkeys for everyone. Google in this case, now offers Passkey logins for all personal Google accounts.
For all the hype, it’s worth pointing out that passkeys are just passwords, with all the best-practice options mandated. It’s a string of data that isn’t based on dictionary words, is stored securely by a credential manager, is never re-used across sites, never expires, and is only used in secure cryptographic proofs. Oh, and Chrome on MacOS and on some Windows 10 and 11 installs can handle passkeys. But sadly there’s no love for Linux users yet.
https://www.yubico.com/resources/glossary/what-is-a-passkey/
Passkey Definition
The term passkey is an amalgamation of the terms password and key, a simple but subtle way of highlighting its utility as an authentication mechanism as familiar and ubiquitous as the traditional password, but also conjuring the imagery of reliability associated with a sturdy lock that can only be opened by a physical key. Pass “words” rely on a word, phrase, or string of characters (usually combined with a username) to authenticate users, while pass “keys” by comparison, use the mathematical underpinnings of public and private cryptographic keys to authenticate. Once a passkey has been set up, the authentication process happens opaquely at login, with minimal additional involvement from the user. A login event becomes an effortless, almost automatic, experience for people who have access to the proper passkey while simultaneously becoming essentially impossible for anyone else. Passkey technology is the cybersecurity industry’s attempt to streamline, modernize and rebrand authentication lexicon, even if the underlying technology is essentially identical to FIDO2/WebAuthn, which have existed since 2018.
https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html
Starting today, you can create and use passkeys on your personal Google Account. When you do, Google will not ask for your password or 2-Step Verification (2SV) when you sign in.
Passkeys are a more convenient and safer alternative to passwords. They work on all major platforms and browsers, and allow users to sign in by unlocking their computer or mobile device with their fingerprint, face recognition or a local PIN.
Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like “SIM swaps” for SMS verification. Passkeys help address all these issues.
Tomi Engdahl says:
Google Launches New Cybersecurity Analyst Training Program
https://www.securityweek.com/google-launches-new-cybersecurity-analyst-training-program/
Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.
Google on Thursday announced a new cybersecurity training program. Those who sign up for the class will prepare for a cybersecurity analyst career and they will receive a professional certificate from Google when they graduate.
The new Cybersecurity Certificate is part of the company’s Grow With Google initiative. The program was built by Google experts and it’s hosted by online course provider Coursera.
Interested individuals can sign up for a 7-day free trial, after which they will have to pay $49 per month to continue learning.
In addition, educational institutions such as Purdue University, the University of Texas System, Syracuse University, and Northern Virginia Community College will offer the new course from Google to their students.
Google says no relevant experience is necessary for the course and participants are able to learn at their own pace, with classes running for 6 months at 7 hours a week.
The training provided by the internet giant is useful for various analyst roles, including SOC, information security, IT security, and cyber defense analyst.
https://grow.google/intl/fi#?modal_active=none
Tomi Engdahl says:
Biden, Harris Meet With CEOs About AI Risks
https://www.securityweek.com/biden-harris-meet-with-ceos-about-ai-risks/
Vice President Kamala Harris met with the heads of companies developing AI as the Biden administration rolls out initiatives to ensure the technology improves lives without putting people’s rights and safety at risk.
Vice President Kamala Harris met on Thursday with the heads of Google, Microsoft and two other companies developing artificial intelligence as the Biden administration rolls out initiatives meant to ensure the rapidly evolving technology improves lives without putting people’s rights and safety at risk.
President Joe Biden briefly dropped by the meeting in the White House’s Roosevelt Room, saying he hoped the group could “educate us” on what is most needed to protect and advance society.
“What you’re doing has enormous potential and enormous danger,” Biden told the CEOs, according to a video posted to his Twitter account.
The popularity of AI chatbot ChatGPT — even Biden has given it a try, White House officials said Thursday — has sparked a surge of commercial investment in AI tools that can write convincingly human-like text and churn out new images, music and computer code.
Tomi Engdahl says:
How small businesses can secure employees’ mobile devices https://www.malwarebytes.com/blog/news/2023/05/duties-a-small-business-must-do-to-secure-employees-mobile-devices
Fact: 77% of organizations are convinced they’re capable of protecting their mobile devicessmartphones, tablets, and laptops (including Chromebooks)from cybersecurity threats. Another fact: A third of those organizations aren’t protecting their mobile devices at all. And that mattersin its Mobile Security Index 2022 report, Verizon reported that
45 percent of businesses suffered a major mobile-related compromise with lasting repercussions
Tomi Engdahl says:
Lack of Visibility: The Challenge of Protecting Websites from Third-Party Scripts https://thehackernews.com/2023/05/lack-of-visibility-challenge-of.html
Third-party apps such as Google Analytics, Meta Pixel, HotJar, and JQuery have become critical tools for businesses to optimize their website performance and services for a global audience. However, as their importance has grown, so has the threat of cyber incidents involving unmanaged third-party apps and open-source tools
Tomi Engdahl says:
How the ZeuS Trojan Info Stealer Changed Cybersecurity https://securityintelligence.com/articles/how-the-zeus-trojan-info-stealer-changed-cybersecurity/
Information stealer malware is a type of malicious software designed to collect sensitive information from a victims computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, its highly adept at exfiltrating login credentials, financial information and personal data. Though this type of malware has been around in some form for over two decades, the ZeuS trojan was by far one of the most influential info stealers in that timeframe. Lets take a look at the history of info stealers, and how this type of threat impacted cybersecurity then and now
Tomi Engdahl says:
How to Set Up a Threat Hunting and Threat Intelligence Program https://thehackernews.com/2023/05/how-to-set-up-threat-hunting-and-threat.html
Threat hunting is an essential component of your cybersecurity strategy. Whether you’re getting started or in an advanced state, this article will help you ramp up your threat intelligence program. The cybersecurity industry is shifting from a reactive to a proactive approach. Instead of waiting for cybersecurity alerts and then addressing them, security organizations are now deploying red teams to actively seek out breaches, threats and risks, so they can be isolated. This is also known as “threat hunting.”
Tomi Engdahl says:
Microsoft enforces number matching to fight MFA fatigue attacks https://www.bleepingcomputer.com/news/microsoft/microsoft-enforces-number-matching-to-fight-mfa-fatigue-attacks/
Microsoft has started enforcing number matching in Microsoft Authenticator push notifications to fend off multi-factor authentication (MFA) fatigue attacks. In such attacks (also known as push bombing or MFA push spam), cybercriminals flood the targets with mobile push notifications asking them to approve attempts to log into their corporate accounts using stolen credentials
Tomi Engdahl says:
Google Releases Open Source Bazel Plugin for Container Image Security
https://www.securityweek.com/google-releases-open-source-bazel-plugin-for-container-image-security/
Google announces the general availability of ‘rules_oci’ Bazel plugin to improve the security of container images.
Google last week announced the general availability of ‘rules_oci’, an open source Bazel plugin for building container images.
Bazel improves supply chain trust by using dependencies’ integrity hashes. Google uses this build and test tool for creating Distroless base images for Docker.
Distroless images too are meant to improve supply chain security, as they are minimal base images that include only what is necessary for applications to run.
“Using minimal base images reduces the burden of managing risks associated with security vulnerabilities, licensing, and governance issues in the supply chain for building applications,” Google explains.
According to the internet giant, rules_oci, the new ruleset that replaces rules_docker, which was previously used for building container images, provides numerous improvements, including features related to security.
The new plugin can use trusted third-party toolchains, does not require running a docker daemon already on the machine, and does not include language-specific rules.
It also allows for the transparent use of private registries, and provides users with a software bill of materials (SBOM), so they can verify the source of dependencies.
Introducing rules_oci
https://security.googleblog.com/2023/05/introducing-rulesoci.html
Today, we are announcing the General Availability 1.0 version of rules_oci, an open-sourced Bazel plugin (“ruleset”) that makes it simpler and more secure to build container images with Bazel. This effort was a collaboration we had with Aspect and the Rules Authors Special Interest Group. In this post, we’ll explain how rules_oci differs from its predecessor, rules_docker, and describe the benefits it offers for both container image security and the container community.
https://github.com/bazel-contrib/rules_oci
Tomi Engdahl says:
The SBOM Bombshell
https://www.securityweek.com/the-sbom-bombshell/
SBOMs can be used for managing risk and determining vulnerability impact, but it’s very hard to build holistic risk models when the data is not standardized across multiple platforms.
Software supply chain: Part 1
President Biden’s Executive Order 14028 in May 2021 called out the federal need to purchase software that include SBOMs, which they define to “Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.” This has been a huge catalyst for the security space, leading to more questions about the inner workings of widely used software both in the government space and vendors that do business with the government.
Today, many security players and code scanners in the market are finally starting to automatically generate SBOMs as part of their offerings, often with no added cost. While each one is a bit disparate in their exact offering, I view this as a great advancement in the space and gives way too much needed visibility into the complex code deployments that exist in modern cloud infrastructure.
If you are not familiar with how complex these webs can be, here is an example pulled from GraphMyRepo on the pandas data analysis framework, which is about 15MB in size and used by millions of companies globally.
There are many security vendors in this space, as well as open source frameworks that will scan your dependency tree. The major problem we have today is the SBOM is not created equally. SBOMs can be used for managing risk and determining vulnerability impact, if properly done, but it’s very hard to build holistic risk models when the data is not standardized across multiple platforms.
Here are three key points that you need to take away from your SBOMs:
Understanding where the software is used
As security professionals, we often ask ourselves the question “do we a piece of software and where?” This question continues to evolve with more complexities if we include software dependencies in development versus production level code. But what about when you have multiple products or multiple environments with different risk profiles?
Charactering legal risk of your open-source libraries
One item often overlooked is the need to understand open source licensed software to ensure compliance to your organizations policy. Licensing can have legal ramifications and open your code to discovery and legal claims.
Understanding downstream libraries
Remember the story of the faker open source project that quite literally destroyed downstream users? Dependencies often have other dependencies that get overlooked during the scanning. It’s important to recursively search your code to uncover downstream libraries that may be affected, especially in the production pipeline.
Prepare for alternatives in advance
Vulnerabilities are discovered all the time in open source libraries, and often they take time to fix. These could me a matter of days, weeks, or even months. Knowing that you have potentially unsupported software is critical to being able to respond properly. You may need to remove code within the library yourself or fork and maintain the project internally. It may be unreasonable to completely remove all risk, but having a plan for the weak links in advance will mitigate this type of risk when it occurs.
The SBOM experiment has a long way to go, and many are trying to standardize the format to machine readable standards (SPDX, CycloneDX, etc) that go way beyond what I have mentioned above. We are moving in the right direction, however we must try to unify these standards into a common machine readable format or face an explosion of different standards.
As we continue to build larger and more complex modular software, we continue to increase the outside dependencies and surface area for supply chain attacks. While we can manually develop and gain more insights for “Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk”, the future is being able to automate the entire workflow process from findings to remediation.
Tomi Engdahl says:
How real is deepfake threat?
https://www.kaspersky.com/blog/deepfake-darknet-market/48112/
Cybercrime quickly adopts new technologies. One of the most concerning trends is the rise of deepfakes forged images, audio or video created with the aid of artificial intelligence, which makes them appear absolutely real at least to the naked eye. The issue is all the more disturbing of late as tools for AI-generation become increasingly widespread and accessible to the general public
Tomi Engdahl says:
Remote workers are still more vulnerable to hackers than they should be. Here’s what to do https://www.zdnet.com/article/remote-workers-are-still-more-vulnerable-to-hackers-than-they-should-be-heres-what-to-do/
The benefits of remote and hybrid working have very much been accepted by employees — according to Forrester, 68% of people who work remotely say they want to work from home more often. However, while the rise of hybrid working has brought benefits, it’s also created problems — and one of those is that it’s harder than ever to keep employees and networks safe from cyber attacks
Tomi Engdahl says:
In Global Rush to Regulate AI, Europe Set to Be Trailblazer
https://www.securityweek.com/in-global-rush-to-regulate-ai-europe-set-to-be-trailblazer/
Europe is set to be the trailblazer when it comes to regulating AI such as ChatGPT.
The breathtaking development of artificial intelligence has dazzled users by composing music, creating images and writing essays, while also raising fears about its implications. Even European Union officials working on groundbreaking rules to govern the emerging technology were caught off guard by AI’s rapid rise.
The 27-nation bloc proposed the Western world’s first AI rules two years ago, focusing on reining in risky but narrowly focused applications. General purpose AI systems like chatbots were barely mentioned. Lawmakers working on the AI Act considered whether to include them but weren’t sure how, or even if it was necessary.
“Then ChatGPT kind of boom, exploded,” said Dragos Tudorache, a Romanian member of the European Parliament co-leading the measure. “If there was still some that doubted as to whether we need something at all, I think the doubt was quickly vanished.”
Tomi Engdahl says:
Pankkitunnuksilla kirjautumiseen tulee muutos näin se näkyy sinulle https://www.is.fi/digitoday/tietoturva/art-2000009572641.html
Sähköinen asiointi Suomessa muuttuu. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen mukaan tavalliselle käyttäjälle tämä näkyy muun muassa tunnistautumisen yksinkertaistamisena.
Tarkoituksena on parantaa turvallisuutta. Syynä muutokseen on Traficomin määräys vahvasta sähköisestä tunnistuksesta ja luottamuspalveluista. Määräys astuu täysimääräisinä voimaan kesäkuussa tänä vuonna
Tomi Engdahl says:
Deconstructing a Cybersecurity Event
https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/
On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform. Dragos has a culture of transparency and a commitment to providing educational material to the community. This is why its important to us to share what happened during a recent failed extortion scheme against Dragos in which a cybercriminal group attempted to compromise our information resources
Tomi Engdahl says:
Uncovering RedStinger – Undetected APT cyber operations in Eastern Europe since 2020 https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
Malwarebytes Threat Intelligence Team discovered a new interesting lure targeting the Eastern Ukraine region and reported that finding to the public. We started tracking the actor behind it, which we internally codenamed Red Stinger. We have identified attacks from the group starting in 2020, meaning that they have remained under the radar for at least three years
Tomi Engdahl says:
Fraud & Identity Theft
Google Now Lets US Users Search Dark Web for Their Gmail ID
https://www.securityweek.com/google-now-lets-us-users-search-dark-web-for-their-gmail-id/
Google is now letting Gmail users in the US run scans to learn whether their Gmail ID appears on the dark web.
Gmail users in the US can now run scans to find out whether their Gmail ID appears on the dark web, Google announced today at Google I/O, its annual developer conference.
The feature was initially announced in March, when the internet giant released it for Google One users only.
It allows users to run scans and receive a report informing them whether their information, including name, address, email address, phone number, and Social Security number, appears on dark web portals.
Such information typically ends up on the dark web following a data breach (cybercriminals are known to share or trade stolen personally identifiable information on underground forums), but could also be harvested from publicly available databases.
With the dark web report enabled, users are automatically notified when matching information is found. Google will also provide guidance on how to protect the exposed information.
The internet giant says it plans to make the dark web report available to international markets soon.
Tomi Engdahl says:
CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief
https://www.securityweek.com/ciso-conversations-hp-and-dell-cisos-discuss-the-role-of-the-multi-national-security-chief/
Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation compared to a national company.
HP and Dell Technologies are two of the world’s largest international computer manufacturers. Their CISOs, Joanna Burkey (HP) and Kevin Cross (Dell), both manage security teams comprising many hundreds of people, and are responsible for corporate security across multiple jurisdictions. The role of CISO is different for a multinational corporation compared to a national company.
Tomi Engdahl says:
EU yrittää säädellä tekoälyä
https://etn.fi/index.php/13-news/14949-eu-yrittaeae-saeaedellae-tekoaelyae
Euroopan Unioni yrittää kehittää lainsäädäntöä pitääkseen tekoälyn jollakin tavalla aisoissa. Tulevan AI Act -lainsäädännön kehityksen kanssa on kiire. CharGPT:n rynnistys markkinoille on saanut myös EU:n varpailleen.
EU:n ihmisoikeuksien komissaari Dunja Mijatović julkisti tänään raporttinsa, joka toimii tulevan lainsäädännön suuntaviivoina. – Koska tekoälyn kehitys vaikuttaa lähes kaikkiin elämämme osa-alueisiin ja sen vaikutus kasvaa entisestään lähitulevaisuudessa, jäsenvaltioiden on ryhdyttävä konkreettisiin toimiin varmistaakseen, että ihmisten ihmisoikeudet turvataan tekoälyjärjestelmien suunnittelussa, kehittämisessä ja käyttöönotossa, Mijatović esittää.
Tomi Engdahl says:
Why more transparency around cyber attacks is a good thing for everyone https://www.ncsc.gov.uk/blog-post/why-more-transparency-around-cyber-attacks-is-a-good-thing-for-everyone
Eleanor Fairford, Deputy Director of Incident Management at the NCSC, and Mihaela Jembei, Director of Regulatory Cyber at the Information Commissioners Office (ICO), reflect on why its so concerning when cyber attacks go unreported and look at some of the misconceptions about how organisations respond to them. At the NCSC and ICO, we deal with the fallout from serious cyber attacks every day. Our responsibilities are different, but we both work on incidents that can take down businesses, severely impact national services and infrastructure, and massively disrupt peoples day-to-day lives. Youll be familiar with some of the headlines and its not a pretty picture.
But we are increasingly concerned about what happens behind the scenes of the attacks we dont hear about, particularly the ransomware ones.
They are the attacks that arent reported to us and pass quietly by, pushed to one side, the ransoms paid to make them go away. And if attacks are covered up, the criminals enjoy greater success, and more attacks take place. We know how damaging this is
Tomi Engdahl says:
GitHub now auto-blocks token and API key leaks for all repos https://www.bleepingcomputer.com/news/security/github-now-auto-blocks-token-and-api-key-leaks-for-all-repos/
GitHub is now automatically blocking the leak of sensitive information like API keys and access tokens for all public code repositories.
Today’s announcement comes after the company introduced push protection in beta more than one year ago, in April 2022. This feature proactively prevents leaks by scanning for secrets before ‘git push’
operations are accepted, and it works with 69 token types (API keys, private keys, secret keys, authentication tokens, access tokens, management certificates, credentials, and more) detectable with a low “false positive” detection rate
Tomi Engdahl says:
Geolocating IPs is harder than you think
https://isc.sans.edu/diary/rss/29834
There are several resources available that assist in geolocating IP addresses. Commercial offerings like MaxMind (which also offers a free
database) have a pretty good track record in locating a particular IP address. But still, there are several difficulties when it comes to IP address-based geolocation. First, let’s look at some of the options to geolocate a computer
Tomi Engdahl says:
So much for Pakistans plan for digital economy its turned off the internet https://www.theregister.com/2023/05/11/pakistan_protest_internet_cut/
Pakistan has blocked internet access across much of the country perhaps indefinitely as protests erupt over the arrest of former prime minister Imran Khan. When he was arrested on charges of corruption early this week, protests quickly followed and became unusually widespread and violent. The authorities have responded with widespread internet blocks. Numerous reports suggest that in places connectivity persists, though social networks cannot be reached
Tomi Engdahl says:
ENISA leans into EU-based clouds with draft cybersecurity label https://www.theregister.com/2023/05/11/eu_cybersecurity_label_scheme_faces/
Cloud services providers that aren’t based in Europe like the Big Three may have to team up with a cloud that is operated and maintained from the EU if they want ENISA’s stamp of approval for handling sensitive data. ENISA, the European Union’s cybersecurity agency, is currently developing a cybersecurity certification scheme that aims to better protect member-state governments’ and businesses’
data. This reportedly includes a new proposal that would require any non-European cloud providers to form a joint-venture with an EU-based provider if they want to earn a coveted ENISA cybersecurity label
Tomi Engdahl says:
Lumen Operational Advisory: Anatomy Of A DNS Water Torture Attack https://blog.lumen.com/anatomy-of-a-dns-water-torture-attack/
Lumen has seen a significant increase over the last few months in attackers leveraging the DNS Water Torture Attack, a form of distributed denial of service (DDOS) attack. Heres what you need to know about these attacks what they look like, how they function, and how they can be mitigated. A DNS Water Torture attack prepends pseudo-random alphanumeric characters to valid DNS domain queries.
Because these queries are a) not cached, and b) not actual legitimate DNS hostnames, the queries are sent to the authoritative DNS server for the domain (zone)
Tomi Engdahl says:
Europe’s AI Act Moves Forward With Increased Privacy Protections https://www.forbes.com/sites/emmawoollacott/2023/05/11/europes-ai-act-moves-forward-with-increased-privacy-protections/
Two European Parliament parliamentary committees have voted to ban biometric mass surveillance in public spaces, approving a draft text of the AI Act. The draft also bans the use of facial recognition databases, biometric categorization and emotion recognition, in a victory for privacy campaigners
Tomi Engdahl says:
Ghost in the network
https://www.lighthousereports.com/investigation/ghost-in-the-network/
In the decade since Edward Snowdens leaks exposed the workings of the US and UK national surveillance apparatus, the market for spying services has fragmented and expanded into a start-up economy of location trackers, password crackers and data extractors.
Investigations into this industry have focused on spyware companies like NSO Group and Intellexa. But here we expose a prolific actor in this space, operating not from a secret office building in the high tech hubs of Tel Aviv, Larnaca or Athens but from a modest terraced house on a sleepy sidestreet in the medieval town of Basel
Tomi Engdahl says:
Let white-hat hackers stick a probe in those voting machines, say senators https://www.theregister.com/2023/05/11/us_voting_system_pen_testing/
US voting machines would undergo deeper examination for computer security holes under proposed bipartisan legislation. Senators Mark Warner (D-VA) and Susan Collins (R-ME) this week introduced an amendment to the Help America Vote Act (HAVA) that would require the nation’s Election Assistance Commission to include penetration testing in its certification process of voting hardware and software. That tech would need to undergo pen testing before it could be used in elections. Today’s HAVA regulations the law was passed in 2002 following that 2000 election require the commission to provide testing and certification, decertification, and recertification of electronic ballot box hardware and software by accredited laboratories. But the rules stop short of explicitly requiring pen testing of these voting machines something hackers at DEF CON have been doing for years
Tomi Engdahl says:
Smart devices: using them safely in your home https://www.ncsc.gov.uk/guidance/smart-devices-in-the-home
Smart devices are the everyday items that connect to the internet.
This can include both ‘hi-tech’ items (think smart speakers, fitness trackers and security cameras), and also standard household items (such as fridges, lightbulbs and doorbells). Unlike conventional household items, you can’t just switch on a smart device and forget it; you’ll need to check a few simple things to protect yourself. This page explains how to set up and manage your smart devices to keep your home – and your information – safe
Tomi Engdahl says:
Google adds unwanted tracker detection to Find My Device network https://www.malwarebytes.com/blog/news/2023/05/google-adds-unwanted-tracker-detection-to-find-my-device-network
Last week we reported that Google and Apple were looking for input on a draft specification to alert users in the event of suspected unwanted tracking. Apple and Google said other tracker makers like Samsung, Tile, Chipolo, eufy Security, and Pebblebee have expressed interest in their draft. Now, Google has used its annual I/O conference keynote to announce updates to its Find My Device network aimed at stopping unwanted tracking by devices with built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Googles expected Grogu
Tomi Engdahl says:
Millions of mobile phones come pre-infected with malware, say researchers https://www.theregister.com/2023/05/11/bh_asia_mobile_phones/
Miscreants have infected millions of Androids worldwide with malicious firmware before the devices even shipped from their factories, according to Trend Micro researchers at Black Hat Asia. This hardware is mainly cheapo Android mobile devices, though smartwatches, TVs, and other things are caught up in it. The gadgets have their manufacturing outsourced to an original equipment manufacturer (OEM). That outsourcing makes it possible for someone in the manufacturing pipeline such as a firmware supplier to infect products with malicious code as they ship out, the researchers said
Tomi Engdahl says:
An Overview Of Supply Chain Attacks And Protection Strategies https://www.forbes.com/sites/davidbalaban/2023/05/13/an-overview-of-supply-chain-attacks-and-protection-strategies/
As corporations have been stepping up their security measures, hacker groups have shifted their focus toward software vendors and various system providers. The frequency of supply chain attacks has multiplied several times compared to what it was in 2020. The concept of a Supply Chain Attack revolves around hijacking an organization’s IT infrastructure via third-party vendors. By securing initial access to, say, a vendor’s code management or version control systems, attackers can disseminate their malicious software while masquerading as a legitimate application. Since the company does not have direct control over all its suppliers, it is virtually impossible to fully safeguard against such threats
Tomi Engdahl says:
Energy Transformation via Cyber-Resilient Smart Grid https://www.trendmicro.com/en_us/research/23/e/energy-transformation-cyber-resilient-smart-grid.html
As the need for reliable and affordable energy sources grows, countries worldwide are increasingly turning to smart grids. Smart grids revolutionize how society accesses energy, enabling higher efficiency, reliability, and cost-effective management of energy resources. But these advancements come with a risksmart grid infrastructures are highly vulnerable to cyberattacks, leading to costly consequences if left unprotected. Drawing on the Achieving Energy Transformation: Building a Cyber Resilient Smart Grid – Report released on April 2023 from TXOne Networks, a Trend Micro’s affiliated company dedicated to OT security. This blog will discuss key vulnerabilities in smart grids. It also discusses the associated cybersecurity standards and countermeasures that must be taken to protect this vital infrastructure from malicious activities
Tomi Engdahl says:
The .zip gTLD: Risks and Opportunities
https://isc.sans.edu/diary/The+zip+gTLD+Risks+and+Opportunities/29838
About ten years ago, ICANN started the “gTLD” program. “Generic TLDs”
allows various brands to register their own trademark as a TLD.
Instead of “google.com”, you now can have “.google”! Applying for a gTLD isn’t cheap, and success isn’t guaranteed. But since its inception, dozens of new gTLDs have been approved and started to be used. The reputation of these new gTLDs has been somewhat mixed. On one end, several very cheap TLDs emerged from the process that are often abused. For example, .xyz or .top are often used for cheap “throw-away” domains. But we also had some large companies, for example, Google, use it (try: domains.google). Google submitted applications for several different gTLDs. One of the more interesting gTLDs Google obtained is “.zip”. This gTLD was approved in 2014, and has not seen much use since then. The current zone file for “.zip”
contains only 1230 names. To access the zone files for many of the gTLDs, ICANN operates the “Centralized Zone Data Service” at czds.icann.org
Tomi Engdahl says:
Cybersecurity Competence Centre in Bucharest to provide Europe-wide Cyber Shield https://www.euractiv.com/section/politics/news/cybersecurity-competence-centre-in-bucharest-to-provide-europe-wide-cyber-shield/
The European Cybersecurity Competence Center (ECCC) was officially opened on Tuesday in Bucharest, the first European entity based in Romania to ensure the functioning of the EU-wide Cyber Shield. ECCC became a reality almost two years ago, and the governing board has already been quite active for some time, holding meetings, first online, because of the pandemic, and then in person, ECCC acting Executive Director Miguel González-Sancho said. Hiring staff was possible only after we had a house. He added that there are currently
14 staff, but the number will grow steadily until there are 40 next year. The ECCC headquarters is housed in a Politehnica University of Bucharest building. Prime Minister Nicolae Ciuc admitted that the centres headquarters are not yet completely ready, but Romanian authorities wanted to symbolically inaugurate it on Europe Day
Tomi Engdahl says:
Passkeys may not be for you, but they are safe and easyheres why https://arstechnica.com/information-technology/2023/05/passkeys-may-not-be-for-you-but-they-are-safe-and-easy-heres-why/
My recent feature on passkeys attracted significant interest, and a number of the 1,100-plus comments raised questions about how the passkey system actually works and if it can be trusted. In response, I’ve put together this list of frequently asked questions to dispel a few myths and shed some light on what we knowand don’t knowabout passkeys
Tomi Engdahl says:
SatIntel: OSINT Tool for Satellites
https://hackaday.io/project/190987-satintel-osint-tool-for-satellites
SatIntel is an OSINT tool for Satellites. Extract satellite telemetry, receive orbital predictions. and parse TLEs
Tomi Engdahl says:
How to stop hotel break-ins!
https://www.youtube.com/shorts/kO0FTuaWCF4
Tomi Engdahl says:
Nokian tekoälyyn perustuva turva sai tunnustusta
https://etn.fi/index.php/13-news/14962-nokian-tekoaelyyn-perustuva-turva-sai-tunnustusta
Nokia on kohonnut nopeasti laajenevan XDR-tietoturvaohjelmistomarkkinan johtajaksi, ilmoittaa GigaOm-analyytikkoryhmä. Analyysin mukaan Nokian laajennettuun havaitsemiseen ja vastaamiseen (XDR, extended detection response) perustuva tietoturva-alusta tarjoaa operaattoreille ja yrityksille vahvan 5G-verkon puolustuksen erilaisilla tekoäly- ja koneoppimiskyvyillä.
GigaOmin mukaan Nokia ”osoittaa selkeyttä visiossaan ja ominaisuuksissaan korkeasti kyvykkään XDR-alustansa kanssa. Tämä ratkaisu sisältää kyvyn kerätä tietoa monipuolisesta lähteistä, tehokkaan automaatiomoottorin sekä intuitiiviset kojetaulut ja raportoinnin.”
Nokia käyttää AI:ta ja koneoppimista XDR-ratkaisuissaan. Niiden avulla yritysten tietoturvatiimit pystyvät reaaliaikaiseen uhkien havaitsemisen ja niihin vastaamisen yhdistämällä dataa eri tietoturvateknologioista.
Nokia XDR -ratkaisu “NetGuard Cybersecurity Dome” mahdollistaa sen, että kyberturvatiimit voivat valita kattavasta käyttötapausten luettelosta, joka kattaa koko kriittisen infrastruktuuriteknologian core-verkosta siirtoverkkoon ja aina RAN-verkkoon asti. Nämä käyttötapaukset havaitsevat tiettyjä verkkouhkia ja tarjoavat ennalta määritellyt toiminnot tietoturvatapauksille ja korjaustoimien hallinnalle.
XDR-tietoturvaohjelmistomarkkinan ennustetaan kasvavan lähes 150 prosenttia tulevina vuosina, noin 965 miljoonasta dollarista vuonna 2022 noin 2,4 miljardiin dollariin vuoteen 2027 mennessä, kertovat alan arviot.
Tomi Engdahl says:
NATO-käyttöön tehty läppäri salaa itse kiintolevynsä
https://etn.fi/index.php/13-news/14964-nato-kaeyttoeoen-tehty-laeppaeri-salaa-itse-kiintolevynsae
Sotilaskäytössä läppärini pitää kestää koviakin olosuhteita, mutta se ei vielä riitä. Lisäksi laitteen tietoturvalta vaaditaan normaalia enemmän. Panasonicin Toughbook 40 on hyvä esimerkki tällaisesta kenttäkannettavasta.
Kannettava on varustettu Viasatin toteuttamalla itsesalaavalla Eclypt Core Encrypted Internal Solid State Drive -kiintolevyllä. Tämän myötä laite tarjoaa NATO-tason optimaalista tietoturvaa.
Tomi Engdahl says:
Pahimmat haitakkeet tulevat roskapostin kautta
https://www.uusiteknologia.fi/2023/05/12/pahimmat-haitakkeet-tulevat-roskapostin-kautta/
Maailmalla haittaohjelmien kärjessä ovat tietoturvayhtiö Check Pointin mukaan roskapostin mukana tulevat Agent Tesla ja Qbot. Ne pystyvät tallentamaan näppäintoimintoja ja keräämään jopa uhrin käyttämien ohjelmistojen salasanoja. Suomessa niistä yleisin on vuonna 2008 havaittu Qbot. Maailman yleisin haitake oli Agent Tesla.
Tietoturvayhtiö Check Point Software Technologiesin tutkijat havaitsivat huhtikuussa uuden mittavan kampanjan, jossa Qbot-haittaohjelmaa levitettiin uudella jakelutavalla sähköposteihin liitettyjen haitallisten, suojattujen PDF-tiedostojen kautta. Kun tiedostot oli ladattu, haittaohjelma asennettiin laitteelle. Haittaohjelmaa levitettiin useilla eri kielillä ja kohteena oli organisaatioita ympäri maailmaa.
Yhtiön huhtikuun listalle teki paluun myös Mirai-, joka on yksi yleisimmistä IoT-laitteiden haittaohjelma. Se käytti uutta nollapäivän haavoittuvuutta CVE-2023-1380 hyökätessään TP-Linkin reitittimiin ja lisätäkseen ne bottiverkkoonsa, jota on käytetty joidenkin kaikkien aikojen tuhoisimmissa hajautetuissa DDoS-hyökkäyksissä. Viimeisin kampanja on jatkoa CPR:n havainnoille IOT-hyökkäysten yleistymisestä.
Tomi Engdahl says:
Käytätkö verkkopalveluja? Näin sähköinen tunnistautuminen muuttuu kesäkuussa
Turvallisuutta parantava uudistus astuu voimaan kesäkuussa.
https://www.iltalehti.fi/tietoturva/a/1529ed40-2c7c-47f4-b8ad-617affd2b59e
Verkkoasiointiin on tulossa merkittävä uudistus, jonka on tarkoitus selventää niiden käyttäjälle tarkemmin sitä, että mihin palveluun hän on kirjautumassa. Uudistuksella parannetaan myös käyttäjän verkkoturvallisuutta sähköisissä palveluissa. Uudistus astuu voimaan kesäkuussa 2023.
Kyberturvallisuuskeskus kertoo tiedotteessaan, että käyttäjälle on jatkossa tulossa palvelun nimitiedot tarkemmin selville. Käytännössä tämä tarkoittaa, että verkkopalveluihin kirjautuessa myös varmennelaitteella ilmoitetaan palvelun nimi, mihin käyttäjä on kirjautumassa.
– Esimerkiksi niin, että käyttäjä menee selaimellaan “Verkkokauppa Verho”:n verkkokauppaan. Tunnistuksen eri vaiheissa käyttäjän tulisi nähdä tämä sama tieto “Olet tunnistautumassa: Verkkokauppa Verho”, tiedotteessa kerrotaan.
Mikäli tunnistetiedot eivät täsmää käyttäjä voi päätellä, että hänet on houkuteltu väärään palveluun.
Vahvan sähköisen tunnistuksen uudet vaatimukset tekevät asioinnista entistä turvallisempaa
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/vahvan-sahkoisen-tunnistuksen-uudet-vaatimukset-tekevat-asioinnista-entista
Liikenne- ja viestintäviraston määräys koskien vahvaa sähköistä tunnistusta ja luottamuspalveluita astuu täysimääräisinä voimaan kesäkuussa 2023. Uudessa määräyksessä on kaksi tärkeää kohtaa, jotka tekevät sähköisestä asioinnista entistä turvallisempaa.
Suomessa asiointipalvelut ostavat pääsääntöisesti vahvan sähköisen tunnistuksen palveluja välityspalveluilta, jotka puolestaan muodostavat yhteydet Suomen 13 yksityissektorin tunnistusvälineen tarjoajaan. Käyttäjälle tämä rakenne ei kovin usein tule esille. Joskus välityspalvelun mukanaolo sekoittaa loppukäyttäjän. Käyttäjän on ollut vaikeaa varmistaa mihin palveluun hän on oikeasti ollut kirjautumassa.
Asiointipalveluiden ja välityspalveluiden on sovittava yhdessä nimitieto, joka yksiselitteisesti kertoo käyttäjälle mihin palveluun hän on hyväksymässä tunnistuspyyntöä. Käyttäjän tulee pystyä helposti tarkistamaan palvelun nimi, mihin hän on kirjautumassa. Esimerkiksi niin, että käyttäjä menee selaimellaan “Verkkokauppa Verho”:n verkkokauppaan. Tunnistuksen eri vaiheissa käyttäjän tulisi nähdä tämä sama tieto “Olet tunnistautumassa: Verkkokauppa Verho”. Tämä nimitieto kulkee mukana kaikissa niissä tunnistustapahtuman askelissa, missä se on mahdollista näyttää. Mobiilitunnistuksessa tämä tieto kulkee aina tunnistusvälineeseen asti. Tiedon avulla on tarkoitus helpottaa käyttäjää tunnistamaan ne tilanteet, joissa hänet on mahdollisesti väärin perustein houkuteltu tunnistautumaan täysin eri palveluun.
Toinen loppukäyttäjälle näkyvä uudistus on tuttu jo joidenkin tunnistusmenetelmien kohdalla. Istuntotunniste on esimerkiksi merkkijono, jonka tulisi olla sama sekä selaimessa että tunnistusvälineessä, joka sellaisen pystyy näyttämään. Jos istuntotunnisteet eivät täsmää, voi olla kyseessä oikeudeton tunnistuspyyntö, jolloin tunnistustapahtuma tulee katkaista. Istuntotunniste ei kuitenkaan estä kalasteluyrityksiä, joissa kalastelija pystyy näyttämään käyttäjälle selaimessa väärennettyä tietoa.
Molemmat käyttäjälle näkyvät parannukset pyrkivät vähentämään vahvaan sähköiseen tunnistukseen kohdistuvia uhkia. Parannusten täysimittainen hyödyntäminen edellyttää joko mobiilivarmenteen tai tunnistussovelluksen käyttöä.
Kaikkia uhkia ja väärinkäytöksiä ei kuitenkaan koskaan voida sulkea pois. Sähköisessä asioinnissa on aina muistettava huolellisuus. Vahva sähköinen tunnistusväline on henkilöllisyystodistuksesi verkossa. Vahvaa sähköistä tunnistusta ei tule myöskään tehdä kiireisessä tilanteessa.
Tomi Engdahl says:
Will A.I. Become the New McKinsey?
https://www.newyorker.com/science/annals-of-artificial-intelligence/will-ai-become-the-new-mckinsey
When we talk about artificial intelligence, we rely on metaphor, as we always do when dealing with something new and unfamiliar. Metaphors are, by their nature, imperfect, but we still need to choose them carefully, because bad ones can lead us astray. So, I would like to propose another metaphor for the risks of artificial intelligence. I suggest that we think about A.I. as a management-consulting firm, along the lines of McKinsey & Company. Firms like McKinsey are hired for a wide variety of reasons, and A.I. systems are used for many reasons, too. But the similarities between McKinseya consulting firm that works with ninety per cent of the Fortune 100and A.I. are also clear
Tomi Engdahl says:
Käytätkö verkkopalveluja? Näin sähköinen tunnistautuminen muuttuu kesäkuussa https://www.iltalehti.fi/tietoturva/a/1529ed40-2c7c-47f4-b8ad-617affd2b59e
Verkkoasiointiin on tulossa merkittävä uudistus, jonka on tarkoitus selventää niiden käyttäjälle tarkemmin sitä, että mihin palveluun hän on kirjautumassa. Uudistuksella parannetaan myös käyttäjän verkkoturvallisuutta sähköisissä palveluissa. Uudistus astuu voimaan kesäkuussa 2023.
Kyberturvallisuuskeskus kertoo tiedotteessaan, että käyttäjälle on jatkossa tulossa palvelun nimitiedot tarkemmin selville. Käytännössä tämä tarkoittaa, että verkkopalveluihin kirjautuessa myös varmennelaitteella ilmoitetaan palvelun nimi, mihin käyttäjä on kirjautumassa.
– Esimerkiksi niin, että käyttäjä menee selaimellaan “Verkkokauppa Verho”:n verkkokauppaan. Tunnistuksen eri vaiheissa käyttäjän tulisi nähdä tämä sama tieto “Olet
tunnistautumassa: Verkkokauppa Verho”, tiedotteessa kerrotaan.
Mikäli tunnistetiedot eivät täsmää käyttäjä voi päätellä, että hänet on houkuteltu väärään palveluun.
Tomi Engdahl says:
It’s All in the Name: How Unit 42 Defines and Tracks Threat Adversaries https://unit42.paloaltonetworks.com/from-activity-to-formal-naming/
Within Unit 42 Threat Intelligence, we are often asked, “How does Unit 42 define and track actor activity?” To answer this question, we’ll give you a glimpse into our day-to-day activities, specifically focusing on how Unit 42 Threat Intelligence tracks behavior-based activity clusters.
The convention that Unit 42 Threat Intelligence uses for naming formal threat actor groups has been discussed in a previous blog. In this post, we’ll step back to give you a broader view, covering how the Unit 42 team builds and tracks activity clusters, and then associates this behavior with temporary threat actor groups. We’ll also discuss how we decide when to enact our formal actor naming and definition processes.
Tomi Engdahl says:
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/
Since 2020, CrowdStrike has increasingly observed big game hunting (BGH) threat actors deploying Linux versions of ransomware tools specifically designed to affect VMWare’s ESXi vSphere hypervisor. In the first quarter of 2023, this trend has continued:
Ransomware-as-a-service (RaaS) platforms including Alphv, Lockbit and Defray have been leveraged to target ESXi.
This trend is especially noteworthy given that ESXi, by design, does not support third-party agents or antivirus software and VMware states in its documentation that antivirus software is not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries.