Had a Microsoft developer not spotted the malware when he did, the outcome could have been much worse.

Source: ozrimoz via Shutterstock

A newly discovered backdoor in XZ Utils, a data compression utility present in nearly all Linux distributions, has revived the ghosts of previous major software-supply chain security scares such as the Log4Shell vulnerability and the attack on SolarWinds.

The backdoor is embedded in an XZ library called liblzma and gives remote attackers a way to bypass secure shell (sshd) authentication and then gain complete access to an affected system. An individual with maintainer-level access to the code appears to have deliberately introduced the backdoor in a painstakingly executed, multiyear attack.

**A Shock to the OSS Community**

The backdoor affects XZ Utils 5.6.0 and 5.6.1, which are versions of the utility currently used only in unstable and beta releases of Fedora, Debian, Kali, open SUSE, and Arch Linux. As a result, the potential threat with this backdoor for now is considerably more limited than if the malware had found its way into a stable Linux distro.

Even so, the fact that someone managed to sneak a nearly undetectable backdoor into a trusted, widely used open source component — and the potential havoc it could have caused — has come as a painful wakeup call on how vulnerable organizations remain to attacks via the supply chain.

"This supply chain attack came as a shock to the OSS community, as XZ Utils was considered a trusted and scrutinized project," JFrog researchers said in a blog post. "The attacker built up a credible reputation as an OSS developer over the span of multiple years and used highly obfuscated code in order to evade detection by code reviews."

XZ Util is a command-line utility for compressing and decompressing data in Linux and other Unix-like operating systems. Microsoft developer Andres Freund discovered the backdoor in the software when investigating odd behavior in recent weeks around liblzma on some Debian installations. After initially thinking the backdoor was purely a Debian problem, Freund discovered the issue actually impacted the upstream XZ repository and associated tarballs or archive files. He publicly disclosed the threat on March 29.

Over the weekend, security teams associated with Fedora, Debian, openSUSE, Kali, and Arch issued urgent advisories alerting organizations running the affected Linux releases to immediately revert to earlier, more stable releases of their software to mitigate the potential risk of remote-code execution.

**Maximum Severity Vuln**

Red Hat, the primary sponsor and contributor to Fedora, assigned the backdoor a vulnerability identifier (CVE-2024-3094) and assessed it as a maximum severity risk (CVSS score of 10) to draw attention to the threat. The US Cybersecurity and Infrastructure Security Agency (CISA) joined the chorus of voices urging organizations using affected Linux distributions to downgrade their XZ Utils to an earlier version, and to hunt for any potential activity related to the backdoor and report any such findings to the agency.

All of the advisories offered tips for users on how to quickly check for the presence of the back-doored XZ versions in their code. Red Hat released an update that reverts XZ to previous versions, which the company will make available via its normal update process. But users concerned about potential attacks can force the update if they don't want to wait for the update to become available via the normal process, the company said.

Today Binarly released a free tool that organizations can use to look for backdoored XZs as well.

"Had this malicious code been introduced to stable OS releases in multiple Linux distributions, we could have seen in-the-wild exploitation en-masse," says Scott Caveza, staff research engineer at Tenable. "The longer this went unnoticed, the greater the potential for more malicious code from whomever this malicious actor might be."

In an FAQ, Tenable described the backdoor as modifying functions within liblzma in such a way as to allow attackers to intercept and modify data within the library. "In the example observed by Freund, under certain conditions, this backdoor could allow a malicious actor to 'break sshd authentication,' allowing the attacker to gain access to an affected system," noted the researchers.

**XZ Utils "Maintainer" Behind the Backdoor**

What makes the backdoor especially troublesome is the fact that someone using an account belonging to a maintainer of XZ Util embedded the malware in the package in what appears to have been a carefully planned multiyear operation. In a widely referenced blog post, security researcher Evan Boehs traced the malicious activity back to 2021 when an individual using the name Jia Tan created a GitHub account and almost immediately started making suspicious changes to some open source projects.

The blog post provides a detailed timeline of the steps Jia Tan and a couple of other individuals took to gradually build enough trust within the XZ community to make changes to the software and eventually introduce the backdoor.

"All the evidence points to social manipulation being used by a person with the sole end goal of inserting a backdoor," Boehs tells Dark Reading. "Basically, there was never a genuine effort to maintain the project, only to gain enough trust to insert \[the backdoor\] quietly."

Typically, gaining commit access to a repository requires an individual to establish a sense of trustworthiness. Often, projects give new commit access to individuals only when there is a need for it and after some risk assessment, Boehs says.

"In this case, Jia created a \[seemingly\] legitimate need for more maintainers ... and then began building trust. Our society is built on trust, and occasionally some crafty people exploit it," he notes. "Gaining permission requires trust. Trust takes time to establish. Jia was in it for the long game."

Boehs says it's unclear when exactly Jia Tan became a trusted member of the repository. But soon after his first commit in 2022, Jia Tan became a regular contributor and is currently the second-most active on the project. GitHub has since suspended Jia Tan's account.

Saumitra Das, vice president of engineering at Qualys, says what happened with XZ Util can happen elsewhere.

"Many critical libraries in open source are being maintained by volunteers in the community who are not paid for it and can be under pressure due to their personal issues," Das says.

Maintainers who are under pressure often welcome contributors who are willing to spend even a little bit of time on their projects. "Over, time, such folks can gain more control over the code," as was the case with XZ Utils, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

XZ Utils Backdoor Implanted in Carefully Executed, Multiyear Supply Chain Attack

Cybersecurity analysts use playbooks as a guide to quickly investigate and respond to incidents, but regularly neglect to keep the process documents up to date.

Source: Ivelin Radkov via Alamy Stock Photo

Every company should have a general incident response plan that establishes an incident response team, designates the members, and outlines their strategy for reacting to any cybersecurity incident.

To consistently act on that strategy, however, companies need playbooks — tactical guides that walk responders through investigation, analysis, containment, eradication, and recovery for attacks such as ransomware, a malware outbreak, or business email compromise. Organizations that do not follow a playbook for security will frequently suffer more serious incidents, says John Hollenberger, senior security consultant with Fortinet's Proactive Services group. In nearly 40% of the global incidents Fortinet handles, the lack of adequate playbooks was a contributing factor that led to the intrusion in the first place.

"Quite often we have found that while the company may have the right tools to detect and respond, there was no, or inadequate, processes around said tools," Hollenberger says. Even with playbooks, he says, analysts still have complex decisions to make based on the details of the compromise. He adds, "Without knowledge and forethought by an analyst, the wrong approach may be taken or ultimately hinder response efforts."

Unsurprisingly, companies and researchers are increasingly trying to apply machine learning and artificial intelligence to playbooks — such as getting recommendations on what steps to take while investigating and responding to an incident. A deep neural network can be trained to outperform current heuristic-based schemes, recommending next steps automatically based on the features of an incident and playbooks represented as a series of steps in a graph, according to a paper published in early November by a group of researchers from Ben-Gurion University of the Negev and technology giant NEC.

The BGU and NEC researchers argue that manually managing playbooks can be untenable in the long run.

"Once defined, playbooks are hard-coded for a fixed set of alerts and are fairly static and rigid," the researchers stated in their paper. "This may be acceptable in the case of investigative playbooks, which may not need to be changed frequently, but it is less desirable in the case of response playbooks, which may need to be changed in order to adapt to emerging threats and novel, previously unseen alerts."

**Proper Reactions Require Playbooks**

Automating the detection, investigation, and response to events are the domains of security orchestration, automation, and response (SOAR) systems, which — among other roles — have become the repositories of playbooks to use in the variety of circumstances firms face during a cybersecurity event.

"The world of security is dealing with probabilities and uncertainties — playbooks are a way to reduce further uncertainty by applying a rigorous process to gain predictable final outcomes," says Josh Blackwelder, deputy chief information security officer at SentinelOne, adding that repeatable outcomes requires the automated application of playbooks through SOAR. "There's no magical way to go from uncertain security alerts to predictable outcomes without a consistent and logical process flow."

SOAR systems are becoming increasingly automated, as their name suggests, and adopting AI/ML models to add intelligence to the systems is a natural next step, according to experts.

Managed detection and response firm Red Canary, for example, currently uses AI to identify patterns and trends that are useful in detecting and responding to threats and reducing the cognitive load on analysts to make them more efficient and effective. In addition, generative AI systems can make it easier to communication both a summary and the technical details of incidents to customers, says Keith McCammon, chief security officer and co-founder of Red Canary.

"We don't use AI to do things like make more playbooks, but we are using it extensively to make execution of playbooks and other security operations processes faster and more effective," he says.

Eventually, playbooks may be fully automated through deep learning (DL) neural networks, the BGU and NEC researchers wrote. "\[W\]e aim at extending our method to support complete end-to-end pipeline where, once an alert is received by the SOAR system, a DL-based model handles the alert and deploys appropriate responses automatically — dynamically and autonomously creating on-the-fly playbooks — and thus reducing the burden on security analysts," they wrote.

Yet giving AI/ML models the ability to manage and update playbooks should be done with care, especially in sensitive or regulated industries, says Andrea Fumagalli, senior director of orchestration and automation for Sumo Logic. The cloud-based security management company uses AI/ML-driven models in its platform and for finding and highlighting threat signals in the data.

"Based on multiple surveys that we've conducted with our customers over the years, they are not comfortable yet having AI adapting, amending, and creating playbooks autonomously, either for security reasons or for compliance," he says. "Enterprise customers want to have full control over what is implemented as incident management and response procedures."

Automation needs to be fully transparent, and one way to do that is by showing all the queries and data to the security analysts. "This allows the user to sanity-check the logic and data that is returned and validate the results before moving to the next step," says SentinelOne's Blackwelder. "We feel this AI-assisted approach is the appropriate balance between the risks of AI and the need to accelerate efficiencies to match the rapidly changing threat landscape."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Enhancing Incident Response Playbooks With Machine Learning

PRESS RELEASE

Seattle, Wash., December 4, 2023 – Just two months after Zatik Security opened its doors, it’s announcing its third founding partner and CTO, as well as a curated network of trusted industry partners. Zatik provides top-tier product security guidance for small to medium-sized businesses leveraging a fractional model to make world class expertise accessible.

Today, Zatik is announcing Zack Glick as its third founder and CTO, joining Kymberlee Price (CEO) and Jon Callas (Distinguished Engineer). Glick was previously at Amazon Web Services and brings strong cloud security expertise to the Zatik Security leadership team.

“I am excited to be a founder of Zatik,” said Glick. “Zatik brings flexibility and experience and is able to go in, learn the business, and tailor a security program for each client. I’m looking forward to bringing my background and experience to be part of that.” 

Additionally, Zatik is proud to announce several partnerships to help protect small and medium-sized businesses:

Here is what some of Zatik's partners had to say: 

“When we heard of the highly experienced, innovative, and quality focused team at Zatik we realized it was the security management version of ourselves at IncludeSec! We share the same values of ultra-high quality industry expertise and client service excellence. The partnership between IncludeSec and Zatik is a natural fit as we share the goal of helping companies who are serious about operating securely as they bring products to market.” – Erik Cabetas Founder + Managing Director at Include Security

“We’re happy to partner with Zatik on building security development lifecycle programs that enhance Luta Security’s end-to-end managed vulnerability disclosure and bug bounty programs. Improving security ROI is best with a strong ongoing integration between vulnerability reports and the SDLC.”  – Katie Moussouris, Founder & CEO, Luta Security

“We've been seeing a growing need for best-in-class security maturity at mid-size companies and startups. Appsec as a service, with a seasoned, professional team that would be difficult for an enterprise to recruit and build, let alone mid-size companies and startups, is an incredible value. Zatik is an excellent complement to SideChannel's offerings and we're excited to be partnering together to bring best-in-class security tools to the midmarket.” - David Chasteen, COO of SideChannel

“The future of augmented security teams looks an awful lot like Zatik. We're both proud and excited to be their partner and look forward to the great synergies to come.” - Frank Heidt, CEO of Leviathan Security  
For more information on Zatik Security services, visit https://www.zatik.io. 

About Zatik Security

Founded in 2023, Zatik Security is an employee-owned cooperative. We believe effective cybersecurity should not be out of reach for any company. Zatik Security’s collective of industry experts build high performing security organizations and provide pragmatic world class security guidance for companies of all sizes.  Committed to quality, inclusion, and trust, Zatik Security democratizes access to expert security guidance, making the world a safer, more trustworthy place for generations to come.

Zatik Security Gains Momentum, Announces Co-Founder, CTO, Partner Network

Researchers at Lasso Security found 1,500+ tokens in total that gave them varying levels of access to LLM repositories at Google, Microsoft, VMware, and some 720 other organizations.

Source: Robert Way via Shutterstock

Researchers recently were able to get full read and write access to Meta's Bloom, Meta-Llama, and Pythia large language model (LLM) repositories, in a troubling demonstration of the supply chain risks to organizations using these repositories to integrate LLM capabilities into their applications and operations.

The access would have allowed an adversary to silently poison training data in these widely used LLMs, steal models and data sets, and potentially execute other malicious activities that would heighten security risks for millions of downstream users.

**Exposed Tokens on Hugging Face**

That's according to researchers at AI security startup Lasso Security, who were able to access the Meta-owned model repositories using unsecured API access tokens they discovered on GitHub and the Hugging Face platform for LLM developers.

The tokens they discovered for the Meta platforms were among over 1,500 similar tokens they found on Hugging Face and GitHub that provided them with varying degrees of access to repositories belonging to a total of 722 other organizations. Among them were Google, Microsoft, and VMware.

"Organizations and developers should understand Hugging Face and other likewise platforms aren't working \[to secure\] their users exposed tokens," says Bar Lanyado, a security researcher at Lasso. It's up to developers and other users of these platforms to take the necessary steps to protect their access, he says.

"Training is required while working and integrating generative AI- and LLM-based tools in general," he notes. "This research is part of our approach to shine a light on these kinds of weaknesses and vulnerabilities, to strengthen the security of these types of issues."

Hugging Face is a platform that many LLM professionals use as a source for tools and other resources for LLM projects. The company's main offerings include Transformers, an open source library that offers APIs and tools for downloading and tuning pretrained models. The company hosts — in GitHub-like fashion — more than 500,000 AI models and 250,000 data sets, including those from Meta, Google, Microsoft, and VMware. It lets users post their own models and data sets to the platform and to access those from others for free via a Hugging Face API. The company has raised some $235 million so far from investors that include Google and Nvidia.

Given the platform's wide use and growing popularity, researchers at Lasso decided to take a closer look at the registry and its security mechanisms. As part of the exercise, the researchers in November 2023, tried to see if they could find exposed API tokens that they could use to access data sets and models on Hugging Face. They scanned for exposed API tokens on GitHub and on Hugging Face. Initially, the scans returned only a very limited number of results, especially on Hugging Face. But with a small tweak to the scanning process, the researchers were successful in finding a relatively large number of exposed tokens, Lanyado says.

**Surprisingly Easy to Find Exposed Tokens**

"Going into this research, I believed we would be able to find a large amount of exposed tokens," Lanyado says. "But I was still very surprised with the findings, as well as the simplicity \[with\] which we were able to gain access to these tokens."

Lasso researchers were able to access tokens belonging to several top technology companies — including those with a high level of security — and gain full control over some of them, Lanyado says.

Lasso security researchers found a total of 1,976 tokens across both GitHub and Hugging Face, 1,681 of which turned out to be valid and usable. Of this, 1,326 were on GitHub and 370 on Hugging Face. As many as 655 of the tokens that Lasso discovered had write permissions on Hugging Face. The researchers also found tokens that granted them full access to 77 organizations using Meta-Lama, Pythia, and Bloom. "If an attacker had gained access to these API tokens, they could steal companies' models which in some cases are their main business," Lanyado says. An attacker with write privileges could replace the existing models with malicious ones or create an entirely new malicious model in their name.  Such actions would have allowed an attacker to gain a foothold on all systems using the compromised models, or steal user data, and/or spread manipulated information, he notes.

According to Lanyado, Lasso researchers found several tokens associated with Meta, one of which had write permissions to Meta Llama, and two each with write permissions to Pythia and Bloom. The API tokens associated with Microsoft and VMware had read only privileges, but they allowed Lasso researchers to view all of their private data sets and models, he says.

Lasso disclosed its findings to all impacted users and organizations with a recommendation to revoke their exposed tokens and delete them from their respective repositories. The security vendor also notified Hugging Face about the issue.

"Many of the organizations (Meta, Google, Microsoft, VMware and more) and users took very fast and responsible actions," according to Lasso's report. "They revoked the tokens and removed the public access token code on the same day of the report."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Meta AI Models Cracked Open With Exposed API Tokens

Aeroblade flew under the radar, slicing through detection checks on a quest to steal sensitive commercial data.

Source: Phil McDonald via Alamy Stock Photo

A US aerospace company was recently subjected to a nearly yearlong commercial cyberespionage campaign, carried out by a seemingly new threat actor researchers have named "AeroBlade."

Unlike the high-stakes aerospace espionage carried out by major nation-state and ransomware groups in recent years, this latest bout, documented last week by Blackberry, follows a characteristically old script: a phishing bait-and-switch, template injection, VBA macro code, and so on.

Though old hat, the campaign — split into a testing (September 2022) and execution phase (July 2023) — managed to remain undetected for the better part of a year thanks to thorough anti-analysis protections.

The ultimate success of the campaign, and the nature of any data which might have been accessed, is not yet known.

**Aerospace Espionage, via Word**

The two attacks began, as so many before it have, with lure documents encased in phishing emails.

Once clicked, the attachments revealed Microsoft Word documents with scrambled text. The documents also contained a suspicious header: "SOMETHING WENT WRONG Enable Content to load the document."

Mimicking the macros notifications of old, the false flag lured victims into clicking and, unwittingly, retrieving and executing a malicious Microsoft Word template (DOTM) file. Injected in the template was a legible decoy document, as well as the instructions for a second-stage infection.

The final payload at the end of this chain was a dynamic link library (DLL) file acting as a reverse shell. The payload collected and exfiltrated system information and directories, and established persistence by creating a task in Windows Task Scheduler, to trigger every morning at 10:10 AM local time.

**Developing Stealth Techniques**

After its initial "test" attack, AeroBlade returned for real with a series of more advanced stealth techniques built into its payload.

The group's staying power may be at least partly attributed to how careful it was in, for example, diligently checking for characteristic signs of a sandbox environment or antivirus software, and also the many ways in which it obfuscated its malicious code.

For example, the executable used custom encoding for each string, and API hashing with MurmurHash to conceal how it used Windows functions. It also came fitted with a number of anti-disassembly techniques including control flow obfuscation, splicing data into code, and using dead-code executed instructions — code which gets executed, but whose result has no bearing on the rest of the program — to throw off analysts.

Given all of the facts of the case, the researchers concluded "with a high degree of confidence that this was a commercial cyberespionage campaign. Its purpose was most likely to gain visibility over the internal resources of its target in order to weigh its susceptibility to a future ransom demand."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'AeroBlade' Group Hacks US Aerospace Company

The DNA testing company believes that the attack has now been contained and is notifying impacted individuals.

Source: MichelMond via Alamy Stock Photo

DNA testing company 23andMe has released further details surrounding an October data breach, where user profile information had been accessed and downloaded at the hands of a threat actor.

On Oct. 1, a threat actor made a post on the Dark Web claiming to possess profile information of 23andMe users; later, the perpetrators released 4 million more records they alleged to be stolen from the company. This led the company to launch an investigation alongside third-party experts. In light of the investigation, 23andMe now reports that the information that was accessed without authorization is a small percentage of user accounts (0.1%).

It also confirmed that the incident was a credential-stuffing attack in which usernames and passwords used for the 23andMe website were the same credentials used for other websites, from which they were stolen.

The compromised information varies from user to user but includes ancestry and health information. The threat actor also accessed user files related to 23andMe's DNA Relatives feature and proceeded to post this information online. 

23andMe now believes that the activity of the threat actor has been contained and is providing notice to impacted individuals. It also requires password changes from its users and implemented a two-step authentication login process for its website. 

Multiple class action claims have been filed against the company, and it expects to spend anywhere between $1 million to $2 million in expenses related to the breach in its third fiscal quarter. 

"The recent breach at 23andMe is a sobering reminder of the sensitivity of genetic data and the need for robust cybersecurity measures. The data accessed is not just a collection of email addresses or passwords but intimate details of an individual's genetic makeup — information that could have serious implications for privacy and could potentially be misused," Javvad Malik, lead security awareness advocate at KnowBe4, wrote in an emailed statement. "Credential stuffing is a known threat and relies on the reuse of passwords across multiple services, highlighting the importance of unique passwords and the use of multifactor authentication to protect accounts — but this incident also shows that the responsibility doesn't end with the end-user. Companies holding such sensitive data must constantly evaluate their security posture and educate users about the best security practices."

23andMe: Data Breach Was a Credential-Stuffing Attack

Multiple agencies warn that attackers have been active since Nov. 22, targeting operational technology (OT) across the US.

Source: roibu via Alamy Stock Photo

Critical infrastructure in multiple US states may have been compromised by Iran-affiliated attackers targeting programmable logic controllers (PLCs).

A warning from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), the Environmental Protection Agency (EPA), and the Israel National Cyber Directorate comes after an attack was detected on a Pennsylvania water authority last week, where the CyberAv3ngers threat group hacked Unitronics Vision Series PLCs.

Researchers believe that the CyberAv3ngers are affiliated with Iranian Government Islamic Revolutionary Guard Corps (IRGC), and are politically motivated to go after the Unitronics PLCs, which have components that are Israeli-owned.

The national intelligence and security agencies are now warning that the attacks extend beyond the Keystone State; beginning on Nov. 22, the cyber actors accessed multiple US-based facilities that utilize Unitronic PLCs with human machine interfaces (including water and wastewater installations), likely by compromising Internet-accessible devices with default passwords. Worse, the attackers may have had access for more than 10 days.

These compromised devices are often exposed to external Internet connectivity due to the remote nature of their control and monitoring functionalities, and by default are on TCP port 20256. Any compromise could render the PLC inoperative, which could lead to the shutdown of the operational technology (OT) responsible for the physical workings of utilities and other industrial control facilities.

The agencies say it is not known whether attackers dug deeper into these PLCs, but warned any organizations running these controllers to evaluate their systems.

**About the Author(s)**

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Pro-Iran Attackers Access Multiple Water Facility Controllers

Come up with a clever cybersecurity-related caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Is any job worth this much work? Come up with a cybersecurity-related caption to describe the scene above. Our favorite submission will win a $25 Amazon gift card.

The contest ends on Dec. 27, 2023. Here are four easy ways to submit your ideas:

**Last Month's Winner**

The winning caption for November's "Out for the Count" cartoon comes courtesy of Paul Mauriks, ICT security specialist, technology solutions, at the Department of Justice and Community Safety in Victoria, Australia. Congrats, Paul, and thanks to all who played!

**About the Author(s)**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: On Your Mark...

Why we should applaud the Red Cross's efforts, even if they likely won't work.

Source: Brain light via Alamy Stock Photo

The efforts of the International Committee of the Red Cross (ICRC) to establish rules of engagement to combatants in a cyberwar should be applauded internationally, even if adherence is likely to be limited. The ICRC recently released a set of rules for civilian hackers involved in conflicts to follow in order to clarify the line between civilians and combatants, as cyberspace can be a blurry place to work in — especially during a war. 

The ongoing conflict between Russia and Ukraine in particular has caused unprecedented numbers of civilian hackers to place themselves in the middle of the war, using their skills to fuel attacks on banks, manufacturing facilities, hospitals, and railways, in an attempt to sway the war to one side or another. Cyber vigilantism isn't a new concept, but the large scale of these nascent patriotic cyber "gangs" has given the ICRC reason to take action with the hope that that hackers on both sides adhere to these rules.

**Do's and Don'ts for Hacktivists**

ICRC's eight rules for "hacktivists" are:

1.  Do not direct cyberattacks against civilian objects.
    
2.  Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
    
3.  When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.
    
4.  Do not conduct any cyber operation against medical and humanitarian facilities.
    
5.  Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces.
    
6.  Do not make threats of violence to spread terror among the civilian population.
    
7.  Do not incite violations of international humanitarian law.
    
8.  Comply with these rules even if the enemy does not.
    

These rules come at a time when it's never been easier for groups, or even individuals, to get involved in attacks and do their part for their cause. The easier it is for anybody with a grudge to launch a cyberattack, the less restrictive these rules will be and the less they will be followed. Many of the stateless groups involved in the Russia-Ukraine conflict aren't bound by current national or international laws. Indeed, several groups, such as the pro-Russian Killnet group, already have reported they will not follow the ICRS's rules.

 Even though these rules likely will not be accepted by the hacking groups currently operating within the Russia-Ukraine conflict, the ICRC should be commended for coming up with and publishing these rules. Establishing norms is crucial for holding such groups accountable for potential war crimes, civilian death and destruction, and other harmful ancillary effects.

The rules are supposed to fall in line with international humanitarian law, a set of rules that seek to limit the effects of armed conflict and, when broken, constitute war crimes. The IHL rules for armed conflict are critical in protecting citizens in military zones during wartime, but the often anonymous and detached nature of cyberspace means it will be much, much harder to police these new cyber-focused IHL rules.

Rule No. 3, for example, is absolutely critical to mitigating the damage to civilians during a conflict. But civilian hackers working on behalf of a military goal may be totally unaware of the unintended destruction they would cause with their attacks. When preparing any kind of cyberattack, the intelligence that an actor has going into the target environment is rarely 100%, even if they're a professional. If the intention is to impact a single component of a bank, for example, but the attacker fails to realize that a nearby hospital relies on that same electrical grid, the situation can escalate very quickly. And when it's a low-skilled attacker with little regard or understanding of what a high-powered tool can do, miscalculations become alarmingly easy. 

**Collateral Damage**

It's also likely that the private sector will take the brunt of this collateral damage. For example, NotPetya — a targeted attack against Ukrainian infrastructure — went into the wild in 2017, paralyzing factories across the globe and costing shipping company Maersk $300 million. The other cause for concern is that the commercialization of cybercrime has enabled less advanced actors to rent state-of-the-art malware and launch campaigns with speed and with ease. For example, the Colonial Pipeline attack was likely orchestrated by an affiliate who had paid for the DarkSide malware. This makes it far more challenging to monitor who is being targeted, and even the developers probably don't know for certain how and where their malware will be used.

The ICRC is sending these rules to hacking groups on both sides of the conflict, and has called on all states — not just Russia and Ukraine — to "give due consideration to the risk of exposing civilians to harm if encouraging or requiring them to be involved in military cyber operations." Creating the parameters for civilian hackers involved in conflicts now hopefully will lead to internationally accepted and enforceable rules in the future. If even some level of deterrence can be achieved by these rules, it will serve to avoid unnecessary damage and harm in future conflicts.

**About the Author(s)**

CISO, Arctic Wolf

Adam Marrè is the Chief Information Security Officer at Arctic Wolf. Prior to joining Arctic Wolf, Adam was the Global Head of Information Security Operations and Physical Security at Qualtrics. With deep roots in the cybersecurity space, Adam spent almost 12 years with the FBI, holding positions like SWAT Senior Team Leader and Special Agent.

Establishing New Rules for Cyber Warfare

Interpol has upgraded its biometric background check tech. It'll help catch criminals, but will it protect sensitive, immutable data belonging to the innocent?

Source: Huang Zheng via Shutterstock

In November, Interpol arrested a fugitive smuggler using a new biometric security system it plans to deploy across its 196 member countries.

The colorlessly named "Biometric Hub" collates Interpol's existing fingerprint and facial-recognition data into one place, allowing border control and frontline officers to query criminal biometric records in real time.

The system is backed with certain privacy guarantees, but questions remain about the extent of its reach, and of any organization's ability to keep a tight hold over such privileged data.

"This is going to be a super high-value target for somebody to get access to," John Gallagher, vice president at Viakoo, worries. "Any time you put together such valuable information, it's obviously going to get hacked and leaked."

**The First Criminal Caught by Biometric Hub**

Just a couple of weeks ago, a group of migrants was crossing the Balkans on their way to Western Europe. In their midst was a fugitive migrant smuggler.

The group encountered a police check in Sarajevo, Bosnia and Herzegovina.

"Wanted on organized crime and human trafficking charges since 2021, the smuggler presented himself as a fellow migrant under a false name, using a fraudulent identification document to avoid detection," Interpol recounted in a press release.

Unfortunately for the fugitive, this police check was among the first to utilize the new Biometric Hub out in the field. "When the smuggler’s photo was run through the Biometric Hub, it immediately flagged that he was wanted in another European country. He was arrested and is currently awaiting extradition."

There's little doubt that the Biometric Hub will streamline Interpol's criminal background checks. But does it provide sufficient security and privacy checks for the citizens who aren't trying to perform crimes across borders?

**Concerns Over Biometric Policing**

To assuage fears of a sci-fi dystopia, Interpol explained on Wednesday that its new biometrics system will abide by its "robust" data protection framework.

Of note, the agency added that "biometric data run through the Hub in a search is not added to INTERPOL's criminal databases, is not visible to other users and any data that does not result in a match is deleted following the search."

Dark Reading has reached out for comment to Interpol, and the vendor supporting Biometric Hub — Idemia — but hasn't yet received a response as of this publication.

Besides privacy, Gallagher points out, a system containing the most sensitive identifying information belonging to the most dangerous criminals out there is an inevitable target for cyberattackers. And a breach of such a system wouldn't be unprecedented.

In 2019, for example, a 23-gigabyte leak at a company contracted by UK police and other government agencies led to the exposure of somewhere around one million fingerprint and facial recognition records. Elsewhere, background checks have been accessed from the US Department of Homeland Security, images have been stolen from Customs and Border Patrol, and more.

"I'm not saying that authorities are doing the wrong thing here — I think they are doing the right thing," Gallagher says. Then he predicts all the many ways the system could fail.

"How frequently do things like the cameras themselves malfunction? And what happens if somebody gets to the camera network? Internet of Things (IoT) devices are the easiest in the universe to hack into," he says.

"My argument is that, in a few years, biometrics won't be trusted," he warns. "Because I pass a camera 100 times a day in my enterprise, and that enterprise might not be securing that camera data very well."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading