Bloomington School District in Illinois published their cyber insurance renewals which saw a 334% increase from the previous year. The drastic change was the result of threats like ransomware increasing in frequency. Smaller school districts are often the target for adversaries as they lack the IT resources compared to larger organizations. This enables less skilled actors to be effective in their attacks. Schools typically have significant insurance policies which makes them a prime target for adversaries looking for fast payments. In addition to the increase in premiums, the insurer is requiring that the district enforce MFA across all accounts. MFA is an effective control against ransomware as it helps prevent unauthorized logins.
Bloomington School District isn’t alone in facing steep increases in insurance premiums due to cyber threats. Many organizations across different sectors, e.g. healthcare, higher ed, etc, are facing the same burden as cyber attacks continue to rise. Any organization that’s perceived as “soft” by bad actors is at an increased risk for attack.
This article explains the email-based social engineering of criminals to spread spam emails and increase the infection pool. The user accounts that were not secured using MFA create a chance for attackers to steal credentials in target organizations and use them to expand their foothold.
Users started receiving phishing links (Docusign-branded); once they clicked the link, it directed them to a rogue website requesting Office 365 login credentials to enter. Using this phishing method, attackers accessed 100 mailboxes and implemented an inbox detection rule to users’ Outlook. Then the second phase started with attacker-controlled devices joining Azure AD. It helped attackers to expand their attack and move laterally through the network.
Facebook Messenger: The battle over end-to-end encryption
The UK government and a coalition of charities are urging the British public to put pressure on Facebook not to introduce end-to-end encryption (E2EE) on its Messenger service.
If Facebook rolls out the ultra-secure messaging system, the campaign says, more children will be put at risk from online predators.
The public debate is likely to be fierce, as privacy campaigners and technology companies argue the system is needed to protect personal privacy and data security.
And the battle is being watched closely around the world, as many governments are also keen to halt the spread of end-to-end encryption in its current form.
For years, authorities in the UK, Australia, Canada, New Zealand, United States, India and Japan plus law enforcement agencies such as Interpol and the UK’s National Crime Agency (NCA) have criticised the technology.
Shipment-Delivery Scams Become the Favored Way to Spread Malware
Research has found that an increasing number of phishing campaigns of late are about spoof package couriers’s scams, like DHL or the U.S. Postal Service. Such fishing has become common as people widely used methods for shipping and comfort with receiving emailed documents related to shipments. Such as Trickbot phishing emails claiming to be non-delivery notices from the US Post Office, but actually containing malicious links, Fake DHL phishing emails spread “a dangerous Trojan virus” by notifying victims that a shipment has arrived and asking them to click on an attachment to find out more details.
Shipping delays and supply chain issues have become common during the pandemic and will be an attractive lure for potential victims accustomed to receiving such emails. Also, being notified of a missed delivery attempt due to supply chain delays can lead to frustration and tempt recipients to open the invoice link for further investigation. However, the emails contained a sender address that was completely unrelated to the USPS, an easy reminder of its devious intentions.
“Patching the CentOS 8 Encryption Bug is Urgent – What Are Your Plans?”
There are three things you can be sure of in life: death, taxes – and new CVEs. For organizations that rely on CentOS 8, the inevitable has now happened, and it didn’t take long. Just two weeks after reaching the official end of life, something broke spectacularly, leaving CentOS 8 users at major risk of a severe attack – and with no support from CentOS.
A push into untraceable payments could put end-to-end encryption at risk
The encrypted messaging app Signal’s introduction of anonymous cryptocurrency payments, and the opportunity it could create for regulators around the world who have been looking for an excuse to eliminate end-to-end encryption altogether.
Signal was considering adding cryptocurrency payments to the platform, and it started with MobileCoin. Signal CEO Moxie Marlinspike has served as an adviser to the MobileCoin cryptocurrency, which is built on the Stellar blockchain and is designed to make payments as anonymous as cash. Signal announced a test of the integration in the United Kingdom in the spring, and it quietly rolled out to the rest of the world in mid-November.
Current and former Signal employees told me they were worried about what that combination would bring to the app. Anonymous transactions would likely attract criminals, they told me, and that in turn would attract regulatory scrutiny. Given that end-to-end encryption already faces legal challenges around the globe, they said, Signal’s addition of anonymous payments was a needless provocation.
New Cryptography Method Promising Perfect Secrecy is Met With Skepticism https://spectrum.ieee.org/new-cryptography-method-promises-perfect-secrecy-amidst-skepticism
Andrea Fratalocchi is an electrical engineer at King Abdullah University of Science and Technology. He and his colleagues ‘use chaotic light states to safeguard the secrecy of the keys instead of relying on quantum physics to make digital keys secure.” He described that his new approach would be compatible with many different authentication techniques.
This week the office of Management and Budget (OMB) has released its plan to move the US government from a zero-trust method to cybersecurity. According to a memo from the OMB, “A key tenet of a zero-trust architecture is that no network is implicitly considered trusted—a principle that may be at odds with some agencies’ current approach to securing networks and associated systems. All traffic must be encrypted and authenticated as soon as practicable. It is a dramatic paradigm shift in the philosophy of how we secure our infrastructure, networks, and data, from verifying once at the perimeter to continual verification of each user, device, application, and transaction.”
Internet Society condemns UK’s Online Safety Bill for demonising encryption using ‘think of the children’ tactic
Britain’s Online Safety Bill is being critiqued for its plan to force service providers to weaken or remove encryption to meet new content identification and removal requirements. The government’s rationale is that end-to-end encryption will “turn social media into a pedophile’s paradise”. In reality, research suggests that surveillance orders are deployed to target drug offenders first and foremost. Despite the claims of their desire to protect users online, by weakening encryption, the Bill will undermine critical elements that make the Internet an open, globally connected, secure and trustworthy resource for everyone. Businesses and employees rely on encryption to do their jobs effectively and safely, and to ensure the confidentiality of sensitive information.
“The Quantum Threat To Cryptography: Don’t Panic, But Prepare Now”
by Mike Brown of Forbes
January 11th 2022
As we read briefly in chapter 3 this week, quantum key cracking may play a a huge threat to traditional cryptographic methods in the near future. The article mentions that current public-key cryptography is expected to be broken by a large-scale quantum computer as soon as eight years from now, which poses a huge risk to entire infrastructures, networks, & databases. This is because every type of modern business depends on cryptography to secure transactions & authenticate identities. The article goes on to mention there’s no need to panic if organizations begin to act now, but not enough have begun to address the quantum threat. They do not understand why they should begin acting on a threat that could be a few years away when there’s current threats to worry about, and they also simply do not understand what’s at stake. The article goes on to mention that organizations have the time & ability to make a seamless transition to quantum safe cryptography, but they need to gain familiarity with new algorithms, inventorying assets, & conducting impact analysis in order to prioritize high-value assets for migration. The article then lists 7 ways organizations can prepare for said migration –
1.Protect communications from harvest/decrypt today to secure protection ten years from now
2. Identify/inventory business-critical systems, applications, & information that may be vulnerable
3. Share crypto visibility with current vendors, contractors, etc & insist that they have a quantum-safe roadmap in place & to share plans
4. Begin building migration plan knowing it could take years due to complexity & past cryptography examples
5. Develop identity/IAM plan as large public key infrastructures will be incredibly difficult to transition
Start developing your Identity and Access Management (IAM) migration plan. Large public key infrastructures (PKIs) will be incredibly difficult to transition
6. Plan includes protecting over-the-air software updates
7. Check latest NIST recommendations, Government guidance, & understand timelines to PQC standards
According to DHS secretary Alejandro Myorkis, “Now is the time for organizations to assess and mitigate their related risk exposure. As we continue responding to urgent cyber challenges, we must also stay ahead of the curve by focusing on strategic, long-term goals. This new roadmap will help protect our critical infrastructure and increase cybersecurity resilience across the country.”
To conclude the article, preparations will not be simple, but they should begin now and follow appropriate migration plans.
This article points out five best practices in cryptography for developers. Most of the topics included are also covered in our book but I found the note on using established cryptography to be interesting. The well-established, standard cryptographic schemes that most organizations use today were created by someone at some point but they have been tested and adjusted thoroughly by many different experts for years. It is almost always safer to protect information using the well-established, proven algorithms that are already available. Bruce Schneier, a cryptographer, computer security professional, privacy specialist, and writer has a great quote on this: “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break. It’s not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around.” I do believe that developers should continue exploring new possibilities and building their own schemes to further cryptography but it’s probably best to put what they build through the same thorough testing of today’s standard cryptographic schemes before treating them as secure.
Internet Society condemns UK’s Online Safety Bill for demonising encryption using ‘think of the children’ tactic
There is a bill presented in Britain that would seek to remove end-to-end encryption on the internet. This bill is being considered due to the key rationalization that it will help protect children by more easily exposing child predators. However, many skeptics believe that while this is the rationale that has been given, it is not the ultimate motive for removing the ability for end-to-end encryption. Data from other countries suggests that the surveillance is mostly to be used for drug dealers and not the predators that the proponents of the bill are siting. One of the biggest oppositions the bill has is the Internet Society, which is a group that was founded by Vint Cerf and Bob Kahn. This group is one of the oldest and most respected institutions when it comes to influencing the path of the public internet. Their forthright opposition of this bill should and does carry a heavy weight and is something policy makers should be aware of. If the Internet Society is calling the bill draconian and denouncing the policy it is something that should be considered detrimental to the health of the internet.
This article provides information to users who are considering adopting a password manager application. Many breaches we have seen in the past can be accredited to users utilizing the same password credentials across several different sites and services. Today’s password managers are a great option to limit the reuse of previously used passwords and help establish a new never before used one that is extremely difficult to decrpyt by hackers. Largely, these password managers require the user to remember one master password in order to access the passwords for all of the other sites and services they access. Furthermore, these password managers use what’s called zero knowledge encryption, which means the application never stores the master password internally. The article writes, “It’s for this reason that no credible password manager service will ever record your master password or keep a copy of the encryption keys used to decrypt your vault. In other words, the application has “zero knowledge” of the encrypted passwords”. The downside, however, is that if you forget your master password you can’t simply request “forgot password” on the site or contact customer support over the phone because as the name of the encryption algorithm indicates the provider does not have ability to access and regain the master password credential.
DDoS attack on Andorra’s internet
Last week a DDoS attack on Andorra’s internet telecom has shut down the country’s internet. The attack took place during a high stakes Minecraft tournament that featured rules from the Netflix TV show Squid Games. During the 2nd day of the tournament, the DDoS attacks prevented players from connecting to the tournament due to issues with the ISP and the amount of traffic on the network. Some of the reports from the tournament stated that some of the attacks went as high as 100 Gbps during short bursts. Besides interrupting the tournament, many other of Andorra’s local businesses, Government agencies and home consumers were all affected by the DDoS.
Apple paid a $100,500 bug bounty to a researcher who showed Apple how its webcams can be hijacked via a universal cross-site scripting bug. This bug gave an attacker the ability to gain full access to every website ever visited by the victim. Ryan Pickren is the bug-finder and this isn’t the first bug he’s found. He is the founder of proof-of-concept sharing platform BugPoC and a former Amazon Web Services security engineer. In 2020, he also discovered vulnerabilities in the Safari browser that could be used to spy on iPhones, iPads and Mac computers using their microphones and cameras. The only thing that had to be done was convincing a target to click on a malicious link. With this new bug, Pickren found a series of flaws that could lead to unauthorized camera access, which would again allow an attack to be launched from a malicious site.
I found this article interesting because this college student Nina Levine is pursuing a 5 years diploma (Undergraduate-Master combined) to research technologies to detect radioactive material. Levine is focused on a process called neutron resonance transmission analysis (NRTA), which is used for identifying specific kinds of special nuclear materials. Elements come in different forms, or isotopes, and one way to differentiate among isotopes is to bombard them with neutrons.
I picked up this article after I glared at the cost and decided to give it a read. It is expected that by 2025 that cybercrime will have cost the world 10.5 trillion dollars (up from 3 trillion in 2020). What is even more staggering is when we start delving into detection and prosecution rates for cybercrime. Only .05% of cybercrime is detected and prosecuted according to this article. When you put this in perspective it makes more sense why cybercrime is rising – it’s low risk and extremely high reward. We can make a comparison to the cybercrime industry which is now worth roughly 10.5 trillion dollars to the cybersecurity industry. In 2004, the Cybersecurity industry was only worth 3.5 billion dollars. In 2017 this industry is now estimated to be worth more than 120 billion and it’s still growing drastically. I thought it was mind boggling when we compare industries, and that cybersecurity is only a fraction of the cost that cyberattacks have on the world economy. Which makes sense, because if protecting cost more than losing – then nobody would protect their assets.
Last week I posted an article that referenced the rising tensions between Russia and the Ukraine. Similarly this article touches base on the same topic. Moreover, it reports on a meeting that is scheduled between a White House cyber security official (Anne Neuberger) who will meet with European (Polish and Baltic) counterparts to discuss aggressive cyber attacks against Ukraine by Russia. The other entities involved in this meeting will include “eastern flank NATO allies and virtual meetings with German and French officials.” The goal of this meeting is to deter, disrupt, and respond to Russia’s aggression in the cyberspace. Moreover, “preparing for cyber attacks and supporting Ukraine” is also one of the agendas of this meeting.
Russia has targeted and hijacked Ukrainian government websites, warning them and their civilians to “be afraid and expect the worst”. Some of the pages aren’t even accessible. This has prompted Kyiv (the capital and most populous city of Ukraine) to open an investigation. The findings assert that these attacks came from Belarus (a close ally of Russia). Nevertheless, Russia still denies that they are planning an invasion despite deploying 100,000 troops along the border of Ukraine, which has caused fears of war.
OpenSubtitles had a data breach where the hacker explained in a forum post on how he gained access. The hacker was able to hack the low security password for super admin and through that he had access to an unsecured script. The script allowed SQL injections and extract data. Th passwords were stored in MD5 without being salted so this is how the hacker was able to bypass this as well as the passwords were very weak. Now they are using stronger security measures such as a strong password policy, removing session information, captchas on login and storing user passwords in hash_hmac and SHA-256 algorithms.
Article: School District reports a 334% hike in cybersecurity insurance costs
Author: Bill Toulas
Published: January 22, 2022
Link:https://www.bleepingcomputer.com/news/security/school-district-reports-a-334-percent-hike-in-cybersecurity-insurance-costs/
Bloomington School District in Illinois published their cyber insurance renewals which saw a 334% increase from the previous year. The drastic change was the result of threats like ransomware increasing in frequency. Smaller school districts are often the target for adversaries as they lack the IT resources compared to larger organizations. This enables less skilled actors to be effective in their attacks. Schools typically have significant insurance policies which makes them a prime target for adversaries looking for fast payments. In addition to the increase in premiums, the insurer is requiring that the district enforce MFA across all accounts. MFA is an effective control against ransomware as it helps prevent unauthorized logins.
Bloomington School District isn’t alone in facing steep increases in insurance premiums due to cyber threats. Many organizations across different sectors, e.g. healthcare, higher ed, etc, are facing the same burden as cyber attacks continue to rise. Any organization that’s perceived as “soft” by bad actors is at an increased risk for attack.
Hackers Using Device Registration Trick to Attack Enterprise with Lateral Phishing
The Hacker News: https://thehackernews.com/2022/01/hackers-using-device-registration-trick.html
This article explains the email-based social engineering of criminals to spread spam emails and increase the infection pool. The user accounts that were not secured using MFA create a chance for attackers to steal credentials in target organizations and use them to expand their foothold.
Users started receiving phishing links (Docusign-branded); once they clicked the link, it directed them to a rogue website requesting Office 365 login credentials to enter. Using this phishing method, attackers accessed 100 mailboxes and implemented an inbox detection rule to users’ Outlook. Then the second phase started with attacker-controlled devices joining Azure AD. It helped attackers to expand their attack and move laterally through the network.
Facebook Messenger: The battle over end-to-end encryption
The UK government and a coalition of charities are urging the British public to put pressure on Facebook not to introduce end-to-end encryption (E2EE) on its Messenger service.
If Facebook rolls out the ultra-secure messaging system, the campaign says, more children will be put at risk from online predators.
The public debate is likely to be fierce, as privacy campaigners and technology companies argue the system is needed to protect personal privacy and data security.
And the battle is being watched closely around the world, as many governments are also keen to halt the spread of end-to-end encryption in its current form.
For years, authorities in the UK, Australia, Canada, New Zealand, United States, India and Japan plus law enforcement agencies such as Interpol and the UK’s National Crime Agency (NCA) have criticised the technology.
Meanwhile, billions of people have embraced end-to-end encryption by using services such as WhatsApp, iMessage and Signal.
https://www.bbc.com/news/technology-60055270
Shipment-Delivery Scams Become the Favored Way to Spread Malware
Research has found that an increasing number of phishing campaigns of late are about spoof package couriers’s scams, like DHL or the U.S. Postal Service. Such fishing has become common as people widely used methods for shipping and comfort with receiving emailed documents related to shipments. Such as Trickbot phishing emails claiming to be non-delivery notices from the US Post Office, but actually containing malicious links, Fake DHL phishing emails spread “a dangerous Trojan virus” by notifying victims that a shipment has arrived and asking them to click on an attachment to find out more details.
Shipping delays and supply chain issues have become common during the pandemic and will be an attractive lure for potential victims accustomed to receiving such emails. Also, being notified of a missed delivery attempt due to supply chain delays can lead to frustration and tempt recipients to open the invoice link for further investigation. However, the emails contained a sender address that was completely unrelated to the USPS, an easy reminder of its devious intentions.
Link: https://threatpost.com/shipment-delivery-scams-a-fav-way-to-spread-malware/178050/
“Patching the CentOS 8 Encryption Bug is Urgent – What Are Your Plans?”
There are three things you can be sure of in life: death, taxes – and new CVEs. For organizations that rely on CentOS 8, the inevitable has now happened, and it didn’t take long. Just two weeks after reaching the official end of life, something broke spectacularly, leaving CentOS 8 users at major risk of a severe attack – and with no support from CentOS.
https://thehackernews.com/2022/01/patching-centos-8-encryption-bug-is.html
A push into untraceable payments could put end-to-end encryption at risk
The encrypted messaging app Signal’s introduction of anonymous cryptocurrency payments, and the opportunity it could create for regulators around the world who have been looking for an excuse to eliminate end-to-end encryption altogether.
Signal was considering adding cryptocurrency payments to the platform, and it started with MobileCoin. Signal CEO Moxie Marlinspike has served as an adviser to the MobileCoin cryptocurrency, which is built on the Stellar blockchain and is designed to make payments as anonymous as cash. Signal announced a test of the integration in the United Kingdom in the spring, and it quietly rolled out to the rest of the world in mid-November.
Current and former Signal employees told me they were worried about what that combination would bring to the app. Anonymous transactions would likely attract criminals, they told me, and that in turn would attract regulatory scrutiny. Given that end-to-end encryption already faces legal challenges around the globe, they said, Signal’s addition of anonymous payments was a needless provocation.
Link: https://www.theverge.com/22872133/signal-cryptocurrency-payments-encryption-invite-regulator-scrutiny
New Cryptography Method Promising Perfect Secrecy is Met With Skepticism
https://spectrum.ieee.org/new-cryptography-method-promises-perfect-secrecy-amidst-skepticism
Andrea Fratalocchi is an electrical engineer at King Abdullah University of Science and Technology. He and his colleagues ‘use chaotic light states to safeguard the secrecy of the keys instead of relying on quantum physics to make digital keys secure.” He described that his new approach would be compatible with many different authentication techniques.
https://www.forbes.com/sites/edwardsegal/2022/01/29/why-businesses-should-follow-government-in-adopting-zero-trust-cybersecurity-strategies/?sh=7f8b30947f55
https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
This week the office of Management and Budget (OMB) has released its plan to move the US government from a zero-trust method to cybersecurity. According to a memo from the OMB, “A key tenet of a zero-trust architecture is that no network is implicitly considered trusted—a principle that may be at odds with some agencies’ current approach to securing networks and associated systems. All traffic must be encrypted and authenticated as soon as practicable. It is a dramatic paradigm shift in the philosophy of how we secure our infrastructure, networks, and data, from verifying once at the perimeter to continual verification of each user, device, application, and transaction.”
Internet Society condemns UK’s Online Safety Bill for demonising encryption using ‘think of the children’ tactic
Britain’s Online Safety Bill is being critiqued for its plan to force service providers to weaken or remove encryption to meet new content identification and removal requirements. The government’s rationale is that end-to-end encryption will “turn social media into a pedophile’s paradise”. In reality, research suggests that surveillance orders are deployed to target drug offenders first and foremost. Despite the claims of their desire to protect users online, by weakening encryption, the Bill will undermine critical elements that make the Internet an open, globally connected, secure and trustworthy resource for everyone. Businesses and employees rely on encryption to do their jobs effectively and safely, and to ensure the confidentiality of sensitive information.
Link: https://www.theregister.com/2022/01/28/internet_society_calls_out_uk_encryption_war/
“The Quantum Threat To Cryptography: Don’t Panic, But Prepare Now”
by Mike Brown of Forbes
January 11th 2022
As we read briefly in chapter 3 this week, quantum key cracking may play a a huge threat to traditional cryptographic methods in the near future. The article mentions that current public-key cryptography is expected to be broken by a large-scale quantum computer as soon as eight years from now, which poses a huge risk to entire infrastructures, networks, & databases. This is because every type of modern business depends on cryptography to secure transactions & authenticate identities. The article goes on to mention there’s no need to panic if organizations begin to act now, but not enough have begun to address the quantum threat. They do not understand why they should begin acting on a threat that could be a few years away when there’s current threats to worry about, and they also simply do not understand what’s at stake. The article goes on to mention that organizations have the time & ability to make a seamless transition to quantum safe cryptography, but they need to gain familiarity with new algorithms, inventorying assets, & conducting impact analysis in order to prioritize high-value assets for migration. The article then lists 7 ways organizations can prepare for said migration –
1.Protect communications from harvest/decrypt today to secure protection ten years from now
2. Identify/inventory business-critical systems, applications, & information that may be vulnerable
3. Share crypto visibility with current vendors, contractors, etc & insist that they have a quantum-safe roadmap in place & to share plans
4. Begin building migration plan knowing it could take years due to complexity & past cryptography examples
5. Develop identity/IAM plan as large public key infrastructures will be incredibly difficult to transition
Start developing your Identity and Access Management (IAM) migration plan. Large public key infrastructures (PKIs) will be incredibly difficult to transition
6. Plan includes protecting over-the-air software updates
7. Check latest NIST recommendations, Government guidance, & understand timelines to PQC standards
According to DHS secretary Alejandro Myorkis, “Now is the time for organizations to assess and mitigate their related risk exposure. As we continue responding to urgent cyber challenges, we must also stay ahead of the curve by focusing on strategic, long-term goals. This new roadmap will help protect our critical infrastructure and increase cybersecurity resilience across the country.”
To conclude the article, preparations will not be simple, but they should begin now and follow appropriate migration plans.
https://www.forbes.com/sites/forbestechcouncil/2022/01/11/the-quantum-threat-to-cryptography-dont-panic-but-prepare-now/?sh=6550da96713a
This article points out five best practices in cryptography for developers. Most of the topics included are also covered in our book but I found the note on using established cryptography to be interesting. The well-established, standard cryptographic schemes that most organizations use today were created by someone at some point but they have been tested and adjusted thoroughly by many different experts for years. It is almost always safer to protect information using the well-established, proven algorithms that are already available. Bruce Schneier, a cryptographer, computer security professional, privacy specialist, and writer has a great quote on this: “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break. It’s not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around.” I do believe that developers should continue exploring new possibilities and building their own schemes to further cryptography but it’s probably best to put what they build through the same thorough testing of today’s standard cryptographic schemes before treating them as secure.
Original article:
https://securityboulevard.com/2022/01/five-cryptography-best-practices-for-developers/
The rabbit hole that followed:
https://www.schneier.com/crypto-gram/archives/1998/1015.html#cipherdesign
https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own
https://en.wikipedia.org/wiki/Cryptographic_primitive
Internet Society condemns UK’s Online Safety Bill for demonising encryption using ‘think of the children’ tactic
There is a bill presented in Britain that would seek to remove end-to-end encryption on the internet. This bill is being considered due to the key rationalization that it will help protect children by more easily exposing child predators. However, many skeptics believe that while this is the rationale that has been given, it is not the ultimate motive for removing the ability for end-to-end encryption. Data from other countries suggests that the surveillance is mostly to be used for drug dealers and not the predators that the proponents of the bill are siting. One of the biggest oppositions the bill has is the Internet Society, which is a group that was founded by Vint Cerf and Bob Kahn. This group is one of the oldest and most respected institutions when it comes to influencing the path of the public internet. Their forthright opposition of this bill should and does carry a heavy weight and is something policy makers should be aware of. If the Internet Society is calling the bill draconian and denouncing the policy it is something that should be considered detrimental to the health of the internet.
https://www.theregister.com/2022/01/28/internet_society_calls_out_uk_encryption_war/
https://www.androidauthority.com/password-managers-secure-3080353/
This article provides information to users who are considering adopting a password manager application. Many breaches we have seen in the past can be accredited to users utilizing the same password credentials across several different sites and services. Today’s password managers are a great option to limit the reuse of previously used passwords and help establish a new never before used one that is extremely difficult to decrpyt by hackers. Largely, these password managers require the user to remember one master password in order to access the passwords for all of the other sites and services they access. Furthermore, these password managers use what’s called zero knowledge encryption, which means the application never stores the master password internally. The article writes, “It’s for this reason that no credible password manager service will ever record your master password or keep a copy of the encryption keys used to decrypt your vault. In other words, the application has “zero knowledge” of the encrypted passwords”. The downside, however, is that if you forget your master password you can’t simply request “forgot password” on the site or contact customer support over the phone because as the name of the encryption algorithm indicates the provider does not have ability to access and regain the master password credential.
DDoS attack on Andorra’s internet
Last week a DDoS attack on Andorra’s internet telecom has shut down the country’s internet. The attack took place during a high stakes Minecraft tournament that featured rules from the Netflix TV show Squid Games. During the 2nd day of the tournament, the DDoS attacks prevented players from connecting to the tournament due to issues with the ISP and the amount of traffic on the network. Some of the reports from the tournament stated that some of the attacks went as high as 100 Gbps during short bursts. Besides interrupting the tournament, many other of Andorra’s local businesses, Government agencies and home consumers were all affected by the DDoS.
Apple Pays $100.5K Bug Bounty for Mac Webcam Hack
Apple paid a $100,500 bug bounty to a researcher who showed Apple how its webcams can be hijacked via a universal cross-site scripting bug. This bug gave an attacker the ability to gain full access to every website ever visited by the victim. Ryan Pickren is the bug-finder and this isn’t the first bug he’s found. He is the founder of proof-of-concept sharing platform BugPoC and a former Amazon Web Services security engineer. In 2020, he also discovered vulnerabilities in the Safari browser that could be used to spy on iPhones, iPads and Mac computers using their microphones and cameras. The only thing that had to be done was convincing a target to click on a malicious link. With this new bug, Pickren found a series of flaws that could lead to unauthorized camera access, which would again allow an attack to be launched from a malicious site.
https://threatpost.com/apple-bug-bounty-mac-webcam-hack/178114/
I found this article interesting because this college student Nina Levine is pursuing a 5 years diploma (Undergraduate-Master combined) to research technologies to detect radioactive material. Levine is focused on a process called neutron resonance transmission analysis (NRTA), which is used for identifying specific kinds of special nuclear materials. Elements come in different forms, or isotopes, and one way to differentiate among isotopes is to bombard them with neutrons.
https://news.mit.edu/2021/nina-levine-toward-more-secure-world-0325
I picked up this article after I glared at the cost and decided to give it a read. It is expected that by 2025 that cybercrime will have cost the world 10.5 trillion dollars (up from 3 trillion in 2020). What is even more staggering is when we start delving into detection and prosecution rates for cybercrime. Only .05% of cybercrime is detected and prosecuted according to this article. When you put this in perspective it makes more sense why cybercrime is rising – it’s low risk and extremely high reward. We can make a comparison to the cybercrime industry which is now worth roughly 10.5 trillion dollars to the cybersecurity industry. In 2004, the Cybersecurity industry was only worth 3.5 billion dollars. In 2017 this industry is now estimated to be worth more than 120 billion and it’s still growing drastically. I thought it was mind boggling when we compare industries, and that cybersecurity is only a fraction of the cost that cyberattacks have on the world economy. Which makes sense, because if protecting cost more than losing – then nobody would protect their assets.
https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
Last week I posted an article that referenced the rising tensions between Russia and the Ukraine. Similarly this article touches base on the same topic. Moreover, it reports on a meeting that is scheduled between a White House cyber security official (Anne Neuberger) who will meet with European (Polish and Baltic) counterparts to discuss aggressive cyber attacks against Ukraine by Russia. The other entities involved in this meeting will include “eastern flank NATO allies and virtual meetings with German and French officials.” The goal of this meeting is to deter, disrupt, and respond to Russia’s aggression in the cyberspace. Moreover, “preparing for cyber attacks and supporting Ukraine” is also one of the agendas of this meeting.
Russia has targeted and hijacked Ukrainian government websites, warning them and their civilians to “be afraid and expect the worst”. Some of the pages aren’t even accessible. This has prompted Kyiv (the capital and most populous city of Ukraine) to open an investigation. The findings assert that these attacks came from Belarus (a close ally of Russia). Nevertheless, Russia still denies that they are planning an invasion despite deploying 100,000 troops along the border of Ukraine, which has caused fears of war.
https://www.reuters.com/world/europe/white-house-official-discuss-ukraine-cyber-security-with-european-allies-2022-02-01/
https://portswigger.net/daily-swig/opensubtitles-data-breach-users-asked-to-re-secure-accounts-after-plaintext-password-snafu
OpenSubtitles had a data breach where the hacker explained in a forum post on how he gained access. The hacker was able to hack the low security password for super admin and through that he had access to an unsecured script. The script allowed SQL injections and extract data. Th passwords were stored in MD5 without being salted so this is how the hacker was able to bypass this as well as the passwords were very weak. Now they are using stronger security measures such as a strong password policy, removing session information, captchas on login and storing user passwords in hash_hmac and SHA-256 algorithms.