Pseudonymous masking has made credit card transactions more secure, but Visa has even greater plans for tokenization: giving users control of their data.

Source: basiczto via Shutterstock

In 2014, Visa introduced its tokenization service, allowing customers to pay for goods and services without giving away their credit card details.

A decade later, the shift to tokenization has become a great success. The company has issued more than 10 billion tokens, which typically replace a card number in a digital wallet, such as Apple Pay or Google Pay. These tokens — fueled more than $40 billion in e-commerce transactions in the past year, according to Visa, accounting for 29% of all transactions processed by the financial giant. Perhaps even more significantly, tokens see 60% less fraud, leading to the prevention of more than $650 million in fraud in the past year, the company said.

The success is driven by the security technology's ease of use, with digital wallets playing host for most consumers' tokens, says Mark Nelsen, senior vice president and head of consumer platform products for Visa.

"Merchants like it because you get less abandonment, you get higher conversion rate, and, oh, you get lower fraud at the same time," he says. "It seems simple in theory, but there's a lot of technology — as you can imagine — behind the scenes that makes it work at scale."

The tokenization of digital payments has arguably been the greatest success to date for the pseudonymous technology. But the future holds new applications, including the increase of user privacy and the decrease of data loss in case of breach.

**What's Accelerating Tokenization**

In 2020, Visa marked the issuance of its 1 billionth token, a milestone that took six years to reach. Social distancing during the pandemic and consumers' greater comfort with the technology accelerated adoption, leading to 9 billion more tokens created for payment cards in the past four years, according to the financial giant.

The next great push for tokenization will be to improve privacy and data quality, Nelsen says. Passkeys are essentially a tokenization technology that replaces a password with an authentication process using a user's device and, typically, a biometric.

In the future, Visa aims to make tokenization even more widespread, replacing more user data with tokens. The upcoming Visa Token Service can be used to protect nearly any data, including sensitive data, and gives consumers full control over with whom they share their data. At any point in time, the consumer could log into their issuer's banking app, see all of the places where they have shared their data, and revoke some of those permission, Nelsen says.

"Because it's tokenized, they now have life cycle management, and so they could say to the bank, 'Hey, I want to disable or revoke access to my data for these merchants because they don't need to have access to my data anymore,'" he says. "We think it creates a really nice framework for how we could manage data going forward."

The company plans to launch its first Visa Token Service pilots later this year.

**How Tokenization Hides Data**

While tokenization of nonpayment data has gradually grown in popularity, especially as the discipline of data science has taken off over the past decade, managing the process is often complex.

Unlike encryption, tokens can directly replace sensitive data, adhering to the data format so that legacy systems can store the data. Financial institutions, for example, can use tokens to replace credit cards because a 16-digit token can be generated and stored in the place of the 16-digit account number.

A combination of tokenization and encryption can help companies comply with regulations and protect sensitive data, says Brent Johnson, CISO at Bluefin, a data security firm.

"Without an authenticated API to 'detokenize' the data and decode the token, the token is useless to hackers," he says.

**Vaulted or Vaultless Tokenization?**

Most businesses are data pack rats — throwing away perfectly good data is antithesis to their strategy. Yet keeping data around poses risks in the case of a data breach. So companies typically use one of two methods of tokenization: Vaulted systems store the mapping of tokens to data in a vault but allow employees to use the tokenized version, while vaultless systems use an encryption-like mapping that can restore data for authorized users.

There is no reason for companies to leave nontokenized data around, says Todd Moore, global head of data security products at Thales, a data protection firm.

"Tokenization should be a part of an organization's overall security strategy, \[but\] encryption and associated key management remains the best way to protect long-term sensitive data," he says. "Many global privacy regulations recognize the combination of using encryption and tokenization, like pseudonymization, as an adequate form of data protection."

Tokenization should not just be used for databases but also to mask privacy-regulated data with tokenization, which can help companies retain some use of the information while meeting their regulatory obligations, says Bluefin's Johnson.

In fact, by pushing tokenization out to the user's machine, companies can make their data life cycles more secure, he says.

"Companies should ... use tokenization to immediately tokenize data upon entry into a Web form or e-commerce page, further extending its use beyond protecting data in storage," Johnson says. "Vaultless tokenization provides the easiest way to secure an organization's data as most of the organization's systems will never see the original data strings, and only a very few, limited, heavily controlled systems are allowed to transform tokens back to sensitive data."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tokenization Moves Beyond Payments to Personal Privacy

The tranche of data, lifted from underprotected GitHub repositories, reportedly includes source code, though the country's paper of record has not yet confirmed the nature of the data accessed.

Source: Michele D'Ottavio via Alamy Stock Photo

A 4chan user has leaked 270GB of internal New York Times data — allegedly including source code for the popular Wordle game and other parts of the business — as part of an incident that the media outlet partially confirmed this week.

The anonymous 4chan user claimed to have gained access to 5,000 GitHub repositories, mostly unencrypted, containing a collective 3.6 million files, including "basically all source code belonging to the New York Times Company."

Such claims from cybercriminals should always be taken with a grain of salt. But at least one researcher, Alex Ivanovs, says he has verified part of the data as legitimate, including source code for Wordle; a WordPress database of 1,500 New York Times Education site users with names, email addresses, and hashed passwords; internal Slack communications; and authentication details such as "URLs and their respective passwords, secret keys, and API tokens. … Plenty of such secrets need immediate attention."

For its part, a spokesperson for the Gray Lady confirmed that data was accessed back in January, but didn't verify the granular details of the incident.

“The underlying event related to the recent online posting of Times information occurred in January 2024, when a credential to a cloud-based third-party code platform was inadvertently made available," says Charlie Stadtlander, New York Times managing director for external communications, newsroom, and opinion. "The issue was quickly identified, and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”

**Source-Code Leaks Have Wide-Ranging Implications**

If the data trove is indeed as extensive as claimed, the ramifications could be significant for the Times itself, as well as for subscribers.

"The very nature of source code means that malicious actors could examine it for vulnerabilities to exploit in cyberattacks," noted Javvad Malik, lead security awareness advocate at KnowBe4, in an emailed statement. "Additionally, the claim that only a small fraction of the repositories were encrypted highlights a potential gap in data protection strategies."

Thomas Richards, principal security consultant at Synopsys, added in an email that the exposure of source code could also allow cybercriminals to tamper with applications, games, and internal infrastructure for use in any number of nefarious attacks.

"What should be sending alarm bells through the NYTimes security team is that someone had a privileged level of access inside their network to even access the source code," he said. "If they were in the network just to view the code, they could also tamper with the code to introduce vulnerabilities or backdoors to allow additional compromise. The NYTimes should do a thorough review of all their source code to make sure it was not tampered with or that unauthorized changes were made."

Even if the data affected is less impacting than many fear, the incident is the latest, along with the recently revealed Ticketmaster breach, to showcase issues in securing third-party cloud assets.

This is a developing story.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

New York Times Internal Data Nabbed From GitHub

London cops make arrests in connection with scam SMS messages, purportedly from official organizations, being sent out from bespoke phone mast.

Source: Roger Bamber via Alamy Stock Photo

London police have made two arrests in connection with what the law-enforcement agency claims is a first-of-its-kind crime — bypassing mobile networks' security to send flurries of malicious text messages by standing up a homemade cellphone tower.

Commonly referred to as "smishing," using SMS text messages as phishing lures is nothing new, but the addition of the homemade tower the accused used as a "text message blaster," according to the cops, is a novel approach.

“The criminals committing these types of crimes are only getting smarter, working in more complex ways to trick unknowing members of the public and steal whatever they can get their hands on," said temporary Detective Chief Inspector David Vint, head of the Dedicated Card and Payment Crime Unit (DCPCU), in an announcement of the arrests.

The cybercriminals reportedly sent thousands of text messages posing as banks and other organizations in an attempt to harvest data from victims, the London police explained.

**About the Author(s)**

Smishers Stand Up Fake Phone Tower to Blast Malicious Texts

If passed, APRA will be a giant leap forward for the rights and freedoms of Americans.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

April 7 was quite a moment for Americans. That was when two US lawmakers shared draft legislation of a soon-to-be unveiled bill called the American Privacy Rights Act, or APRA. According to the International Association of Privacy Professionals (IAPP), if it becomes law, the American Privacy Rights Act "would introduce a significant shift in how organizations collect, process and share personal information, and set a high bar for data minimization practices.

To date, corporate privacy professionals whose operations are in scope of the US have needed to treat the region essentially as 50 countries since, generally, each state has its own set of laws and regulations on the subject. Complex if you deal with one or two states, unmanageable if you deal with 50.

Let's set the scene: The United States has, historically, addressed the privacy of its citizens at the state level, reserving broader rule for specific industries such as medical (HIPAA), financial, and trade (FTC). You quickly can see how this legislative patchwork left significant gaps in the processing of personal data outside very specific use cases. Europe suffered a similar lack of cohesion for many years, until the implementation of the General Data Protection Regulation (GDPR) in 2018, and the world watched closely to see if unified laws spanning dozens of geographies could actually work.

Six years later, it is safe to say that the processing and protection of personal information across Europe is unrecognizable from what it once was, and in the interim period, we've even seen the birth of revolutionary data laws in California and other states. A standard for data subjects' rights and what they expected was emerging in a place where we were generating and using — as well as valuing and relying upon — an exponentially increasing amount of data.

**The US Needs Federal Privacy Laws**

There are a number of reasons why the US wants, and needs, privacy laws at a federal level: consistency, manageability, interstate operability, trade with other regions such as Europe and Australia, and to enable technologies such as open banking to move forward. To date, states including California, Kentucky, Maryland, and others have been left with no choice but to enact local laws in order to compete in a marketplace where data privacy is a key player and differentiator among those vying for business. 

APRA, which at the time of this writing is still in draft form, follows in the footsteps of GDPR and the ePrivacy Directive, with provisions for data processing principles, subject's rights, consent to marketing, and data security.

This is still very early days, and in addition to the unclear timing (typically, an election year would preclude these types of proposals), there are more than a few obstacles still to overcome, including the same challenges that were evident in 2022, such as state law preemption and Private Right of Action.

Relevant stakeholders (think big tech, privacy groups, state governors, etc.) will each have their own perspectives, priorities, and questions, all of which will take time to come to an agreement on, if at all possible. It's worth noting that, unlike legislation in other countries, APRA attempts to consider both the interests of the data subject as well as those of the business and its operational abilities. This is untested waters, though, so it will be very interesting to see if, and how, that would work in real life.

In summary, APRA is a giant leap forward for the rights and freedoms of American subjects. I know we have been here before (two years ago), but this feels different — with people reenergized, reinvigorated, and excited by it. US lawmakers will be feeling pressure from different angles, not least from large enterprises that are losing opportunities to other regions where legislation enforces the notion of putting personal information front and center. Watch this space: I think good things are coming.

**About the Author(s)**

Group Data Protection Officer, GlobalSign

Richard Hancock is Group Data Protection Officer of GlobalSign, where he utilizes a strong technical background to provide clear and practical steer and guidance in addressing problems with a long, proven track record of creating, implementing, managing and reviewing data protection programs and framework, aligning with industry standards, and meeting a plethora of ever changing, culturally different global legislative landscapes. He spent many years helping enterprises implement PKI solutions, ranging from 1 or 2 SSL certificates through to custom-written API modules for automated process handling. Over the past decade, he has used that skill set to develop and implement data governance regime and data protection legislation compliance, encompassing not just General Data Protection Regulation (GDPR) and ePrivacy but also many domestic laws, as well as both federal and state level regulations within the US. He continues to lead the way in strategic thinking and best practice deployment in the identity verification, digital signing, and data encryption sector.

Is a US Nationwide Privacy Law Really Coming?

The threat environment will continue to grow in complexity. Now is the time for organizations to streamline how they manage and mitigate overlooked vulnerabilities.

Source: Stephen Parker via Alamy Stock Photo

According to Coalition's research, Common Vulnerabilities and Exposures (CVEs) are expected to increase by 25% in 2024 to a shocking height of 34,888 vulnerabilities, or roughly 2,900 per month. As attack surfaces continue to expand rapidly, business leaders face mission-critical choices in increasing their cyber defenses to improve vulnerability warning, patch management, and incident response.

Through our honeypot data and view into our cyber insurance policyholders' attack surfaces, security tools, and workflows, Coalition has identified the key technology choices that place businesses at risk — as well as the choices that are proving most effective.

**Short-Sighted Business Choices**

Several factors contribute to the current state of weak vulnerability management, making organizations more susceptible to cyberattacks.

First, companies often leave security teams under-resourced and overworked. These cyber workforce challenges — from worker shortages and cyber skill gaps to security burnout — continue weighing down security teams. Information security professionals are enduring extreme alert fatigue, inhibiting their ability to quickly track, patch, and remediate vulnerabilities.

Second, choosing to use disparate flagging systems keeps critical information on the latest threats siloed. Companies and their customers are at risk because key resources are managed separately: The National Institute of Standards and Technology's (NIST) Common Vulnerability Scoring System (CVSS) scores, the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog, and miscellaneous (and often belated) security advisories from vendors all come from distinct sources. The onus then is transferred to each organization to stay on top of all these different information sources. Worse, now that NIST is facing major backlog issues, its National Vulnerability Database can no longer be seen as a source of truth, complicating the picture further.

Third, companies don't always put business resources into closing the talent gap. ISC2 found that while the cybersecurity workforce grew 8.7% year over year in 2023, the workforce gap grew an additional 12.6%. Supply is outpacing demand, and security teams are simply strapped.

Finally, choosing to ignore technical debt keeps old and outdated software a high-risk target. Legacy technologies and companies' massive lists of technology subscriptions not only take up security budgets, but they also expand businesses' attack surfaces. Many businesses don't have the budget to explore new security tools or approaches because they are weighed down by technical debt.

**Risky Technical Choices**

Security teams must make smarter choices about the overlooked risks threat actors continue to successfully target and exploit year after year: unpatched vulnerabilities, Internet-exposed technologies, and end-of-life (EOL) technology.

First, understand that vulnerabilities can turn seemingly small software flaws into active attacks, so putting off patching is a risky decision. In a recent example, a nation-state attack from a North Korean threat group targeted a Windows zero-day vulnerability left unpatched for six months. This vulnerability's scale and business impacts are still unknown but pose a massive, ongoing risk for organizations.

Second, organizations need to pay more attention to their easily exploitable, Internet-exposed technologies. For example, Coalition found scans from unique IP addresses looking for Remote Desktop Protocol (RDP) increased by 59% from January 2023 to October 2023, indicating that cybercriminals are still targeting this vulnerable technology to gain operating system access.

Finally, companies often decide to keep outdated and EOL technologies running until they break down completely — or get penetrated. Threat actors upped their attacks on outdated, out-of-date software this last year. Coalition's report found that 10,000 businesses are running EOL database Microsoft SQL Server 2000, while over 100,000 businesses are running EOL Microsoft SQL servers. If left unaddressed, outdated technology and technical debt will cost organizations in the US trillions of dollars in the coming years.

As threat actors continue to search for the easiest risks to exploit and monetize, strengthening an organization's cyber resilience can be as simple as identifying the most easily addressable risks.

**Smarter Choices for Security Teams**

Our research shows that choosing to implement a few leading solutions improves vulnerability management and will continue to do so in the foreseeable future.

First, security professionals can leverage threat intelligence tools, like honeypots, to identify hackers' tactics, techniques, and procedures. These tools help serve as an early warning system for new threats. For example, Coalition uncovered cybercriminal activity related to the 1,000% 2023 MOVEit vulnerability spike in mid-May, two weeks before Progress Software and CISA issued their advisories. This early alerting helped our policyholders remediate the vulnerability and avoid related cyber incidents and impending cyber insurance claims. Meanwhile, the vulnerability cost the broader cyber ecosystem $15.6 billion.

Second, defenders should employ artificial intelligence (AI) to help them generate and contextualize alerts across the security ecosystem. While the cyber industry works to overcome the cybersecurity risks of AI, vendors are also finding new ways to battle adversaries with the technology. For example, Coalition's Exploit Scoring System incorporates multiple data sets and analyzes them with AI to help companies manage and prioritize risk mitigation.

Finally, remember to pair continuous threat detection and response management with a human traffic guard. The human power of security teams will lift cogent businesses over risky ones. While AI and machine learning are key to catching vulnerabilities, patching with intelligence requires people — strategic human partners who can act on the AI's automated insights.

**About the Author(s)**

Vice President of Research, Coalition

Tiago Henriques has had a rich career across the cybersecurity industry as an entrepreneur, CEO, pen tester, security analyst and auditor. In 2015 he founded BinaryEdge, a cybersecurity company specializing in enterprise infrastructure scanning and attack surface management. Since Coalition's acquisition of BinaryEdge in 2020, Tiago led customer security efforts across the organization as Director of Engineering for Security, recently becoming Vice President of Research.

Making Choices that Lead to Stronger Vulnerability Management

While cyberattacks drop slightly during the week of the Islamic pilgrimage, organizations in Saudi Arabia and other countries with large Muslim populations see attacks on the rise.

Source: ESB Professional via Shutterstock

The final month of the Islamic calendar, Dhu al-Hijjah, began on June 7, marking the countdown for millions of Muslims to the Hajj pilgrimage, and also a time when cybercriminals and cyber-espionage actors see increased opportunity amid reduced vigilance and slimmed staffing.

While many of the cyberattacks are focused on pilgrims as consumers of travel services, a variety of businesses — from banks to e-commerce sites — are at greater risk of data theft and denial-of-service attacks, according to experts. On June 3, for example, cyberthreat actors announced a data leak on an underground forum that allegedly contained the personal information of 168 million users from "The Hajj and Pilgrimage Organization in Iran," according to cybersecurity firm Kaspersky.

The attacks highlight the two aspects of how cyberattackers see the Hajj season: as an opportunity to take advantage of pilgrims, but also as a time of reduced resources for security teams, making business and government agencies vulnerable, says Amin Hasbini, head of global research and analysis team for the Middle East, Turkey, and Africa region at Kaspersky.

"Companies in the Middle East and other regions need to exert extra caution during holiday seasons such as Hajj — the absence of certain employees needs to be accounted for to ensure smooth operations and maintaining security efficiency and productivity," he says. "Overall, it’s challenging for companies to have the right resources available and ready, in addition to the right policies and plans to complete the handover transition correctly, creating weaknesses that could be abused by threat actors."

The Hajj, which starts on the eighth day of the Islamic month and lasts four to six days, marks nearly a week of religious holidays for the Middle East and for an estimated 2 billion Muslims worldwide.

While Kaspersky sees threats affecting Saudi Arabia and other countries in the region drop by as much as 30% during the week of the Hajj, cyberattacks then quickly rebound. In 2022, for instance, when Saudi Arabia once again opened the annual Hajj pilgrimage to the world following the COVID-19 pandemic, cyberattacks doubled to more than 2 million during the month of Dhu al-Hijjah, which officially starts with the appearance of the new crescent moon.

While Saudi Arabia did not report data on cyberattacks in 2023, other countries have seen similar increases in attacks, says Shilpi Handa, associate research director for security at IDC's Middle East, Turkey, and Africa group.

"Annually, there's a significant surge in cybersecurity incidents reported by multiple security organizations in the Middle East," she says. "Similar findings are reported all over the region after the conclusion of Hajj each year."

**Cyber Scams**

The cyber threats linked to the Hajj pilgrimage typically begin early in the year, as cybercriminals aim to take advantage of Muslim adherents planning to make the trip to Saudi Arabia. Attackers use fake travel agencies, social media scams, or attacker-controlled online registration sites to entrap unsuspecting victims. Saudi Arabia's Ministry of Hajj and Umrah, which manages services and infrastructure around the pilgrimages, launched a government platform, Nusuk, that connects prospective pilgrims with legitimate operators and sites, which has significantly reduced fraud.

However, advanced threat actors have used messages and notifications about the Hajj as a way to lure employees into opening links and attachments in email. From January to May 2024, for example, an India-linked threat group — alternatively known as Sidewinder and Rattlesnake — has used Hajj-related emails to target users in Asia and Africa, according to Kaspersky.

The problem for many companies is that employees often use their business email in Web forms, or expose themselves to threats through social media, says Shawn Loveland, chief operating officer for Resecurity, a global cybersecurity service provider with clients in the Middle East.

"It's concerning how many employees use their business email on personal websites," he says. "If their PII gets scammed, now the threat actors know where you work. ... Employers should be helping to educate their employees about online fraud, because in addition to protecting the employee, it will protect the business."

As part of its effort to combat fraud, Resecurity detected and blocked more than 630 social media accounts publishing scams targeting people preparing for Hajj season, the company stated in a report on Hajj-related fraud.

**Defending With Reduced Head Count**

Saudi Arabia has taken the threat seriously. The country's National Cybersecurity Authority (NCA) conducted a comprehensive cyber exercise with more than 200 agencies represented by more than 600 officials and specialists, with a specific focus on cybersecurity during the Hajj season.

The exercise, which the country also conducted the previous year, leaves it well-prepared to handle potential cyber incidents, IDC's Handa says.

"Drills are \[being\] conducted across the region to counter cyberattacks," she says, with the government "establishing a 24/7 cyber-operations room to monitor and analyze cyber threats and share results with national agencies, allocating cyber-incident response teams, and conducting assessments to measure the cyber-risks of sensitive assets."

Businesses should take a page from Saudi Arabia's playbook, says Kaspersky's Hasbini. While attacks typically drop off for the week around the Hajj, security teams are also short-staffed, often leaving response times slower. Planning to identify and respond to incidents under such restrictions makes for good preparation.

"While the risk of mistakes by an insider is lower when employees of an organization are out of office, we see a bigger risk if the responsibilities of employees in the IT or IT security departments ... are mishandled or simply ignored, opening up weaknesses for attackers to abuse," he says.

Companies should be clear in their delegation of duties when there is a shortage of cybersecurity specialists and establish clear protocols for communications, Hasbini says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Governments, Businesses Tighten Cybersecurity Around Hajj Season

Charges against the ransomware gang member included damage to computers, conspiracy to commit fraud, and conspiracy to commit money laundering.

Source: Ozrimoz via Shutterstock

Ukrainian national Yaroslav Vasinskyi, affiliate of the REvil ransomware-as-a-service group, was sentenced to more than 13 years in prison after pleading guilty to an 11-count indictment.

The charges against Vasinskyi, also known as Rabotnik, involved conspiracy to commit fraud, conspiracy to commit money laundering, and damage to protected computers. According to court documents, he conducted thousands of ransomware attacks using the Sodinokibi/REvil ransomware variants.

"Yaroslav Vasinskyi and his co-conspirators hacked into thousands of computers around the world and encrypted them with ransomware," said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department's Criminal Division. "Then they demanded over $700 million in ransom payments and threatened to publicly disclose victims' data if they refused to pay."

Alongside his sentencing, Vasinskyi has been ordered to pay roughly $16 million in restitution for the role he played in over 2,500 ransomware attacks — a fraction of the $700 million in ransom payments that was demanded of his victims.

**About the Author(s)**

REvil Affiliate Off to Jail for Multimillion-Dollar Ransomware Scheme

Patch now: Cyberattackers are exploiting CVE-2023-7028 (CVSS 10) to take over and lock users out of GitLab accounts, steal source code, and more.

Source: simon de glanville via Alamy Stock Photo

A critical security vulnerability in GitLab is under active attack, according to CISA. It allows bad actors to send password reset emails for any account to an email address of their choice, thus paving the way for account takeover.

"This will allow attackers to reset the password just as if they were a user that had legitimately forgotten theirs," says Erich Kron, security awareness advocate at KnowBe4. "From there, the account would belong to the bad actors."

Further, Kron warned that if adversaries choose to change the legitimate associated email address for a GitLab account they've infiltrated, they could then keep the rightful account owner from being able to log in or use the password recovery function to change it back.

CISA added the vulnerability, CVE-2023-7028, to its Known Exploited Vulnerabilities (KEV) catalog as a "GitLab Community and Enterprise Editions Improper Access Control Vulnerability." The agency noted that the bug is maximum severity with a 10 out of 10 CVSS vulnerability-severity score, and is requiring Federal Civilian Executive Branch (FCEB) agencies to remediate FCEB networks against the active threat.

Sajeeb Lohani, senior director of cybersecurity at Bugcrowd, said there are publicly available exploits for the bug as well, so defenders shouldn't sit on this one.

"Since the exploit itself is quite simple to pull off, the bar of entry for the exploit is low, implying less skilled hackers will also be able to exploit this issue," he says. "In simple terms, this is an issue you want to patch promptly."

**CVE-2023-7028: Risk of Proprietary Data, Code Theft**

David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure, explains that the stakes are high for organizations because GitLab stores source code and proprietary data.

"There's always the risk of an attacker injecting malicious code into the supply chain as well, but that requires the changes not being flagged elsewhere," he explains. "While data exfiltration typically won't run up against other checks, the point of a source control platform is that you can easily transfer code in and out of it to local machines."

He recommended that organizations that manage their own GitLab deployments should ensure they have a plan to upgrade to a patched version if they haven't already done so.

"If that can't be done immediately, then mitigations should be employed," he says. "You need to ensure that you have regular password rotation or use a separate identity provider for authentication."

Larger organizations may want to also consider tools that can identify anomalous activity based on user actions, which could flag compromised accounts for quarantine.

**MFA, Zero Trust Are Effective Counters**

Defending against these types of attacks goes back to security basics. For instance, Kron suggests that one of the most effective ways to counter attacks such as unauthorized password changes is the use of multifactor authentication (MFA), which attackers keep trying to circumvent.

He added that while MFA is not unhackable, it can add enough complexity to the account takeover process that the bad actors may fail.

"Even if they could reset your password, they will not be able to log in without the second factor," he says. "This could prevent them from changing the recovery email address, making them unable to lock the rightful account owner out."

Patrick Tiquet, vice president of security and architecture at Keeper Security, meanwhile notes the most effective method to prevent account-based cyberattacks is to invest in a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor's access.

He also says a privileged access management (PAM) solution is imperative for IT administrators and security personnel to manage and secure privileged credentials and ensure least-privilege access.

"Additionally, each organization's patch management strategy needs to have a fast track for critical vulnerabilities with high possible severities — like this one — to ensure they can immediately take action," Tiquet says.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Critical GitLab Bug Under Exploit Enables Account Takeover, CISA Warns

If CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately.

Source: Tenebroso via Alamy Stock Photo

COMMENTARY

In a recent open letter, high-profile names from across the business, academic, and scientific worlds called for governments to intensify their regulation of deepfakes.

While their aims are admirable, their efforts are misplaced — it's innovation, not regulation, that will shore up our defenses against the deepfake threat. 

The letter, titled "Disrupting the Deepfake Supply Chain," was signed by prominent thinkers, including Stephen Pinker, computer scientist Joy Buolamwini, US politician Andrew Yang, and the "godfather" of AI, Yoshua Bengio.

Specifically, the letter called for increased criminalization of deepfakes, the establishment of specific criminal penalties, and liability for software developers and distributors for the use of their products in deepfakes. 

The letter correctly identifies the symptoms. Deepfakes are proliferating at a rapid rate — more than 900% annually, according to The World Economic Forum. This is ratcheting up the threat level across society.

Deepfakes are already an established weapon in the hacker arsenal. One finance worker recently paid $25 million to malicious actors after they used a deepfake of the employee's CFO in a video conference call. This should serve as a warning shot across the bow for the corporate world, and the open letter is correct to raise the alarm about the relative lack of action.

However, delegating responsibility to governments will only leave corporations more exposed. CEOs cannot afford to sit back and rely on regulators to stem the flow of deepfakes. They must take action and build their own defenses as soon as possible — and they are already starting from behind. Catching up will mean doubling their investment in innovative technologies that can counteract deepfakes.

**Stone Age Policies**

But why aren't governments up to the task themselves?

Most governments' cybersecurity departments and policies are in the Stone Age compared with these hackers. By the time legislation is drawn up, debated, and rolled out, it's often already antiquated and behind the pace of technological development. 

Furthermore, relying on reactive regulation in one government also means trusting all governments to do the same. No matter how punitive the legislation in one country, hackers in another country won't worry about the penalties, so nations will have to work together to negate the threat of deepfakes. But right now, hoping the Chinese or Russian states will prevent hackers from disrupting business in the West is nothing short of naive. 

CEOs and senior management must step up to the challenge and take responsibility for ensuring that they aren't the next victim of a deepfake scam.

Fortunately, management has several technologies available that can be rolled out to shore up their deepfake defenses, including advanced authentication, detection AI, and content watermarking. 

CEOs can integrate enhanced authentication standards to insulate their firms from deepfake scams. Two-factor or multifactor authentication systems require users to provide additional verification beyond a password, adding information that deepfake scammers will need to access sensitive information.

**Fighting Deepfakes With AI**

Management must also deploy AI in the fight against deepfakes. AI tools can analyze media files for anomalies and inconsistencies that are evidence of tampering. They can also analyze the subjects of these files, such as facial expressions and vocal patterns, and then flag non-natural inconsistencies that the human eye may miss. They can even compare deepfakes against genuine employee biometric data to identify fake representations of company employees.

Another option available to corporations is content watermarking, which embeds invisible, unique identifiers into official company media files. This can be used to verify the authenticity and origin of media content that employees come into contact with. 

These are just some of the many digital tools that management can use to insulate themselves from deepfake scammers and hackers. But they come at a cost.

Currently, cybersecurity funding lags far behind the scale of the threat that deepfakes pose. As with the finance worker above, company funds are at risk. Deepfake scams could also be used to access sensitive IP and trade secrets. Deepfakes of employees can also damage a firm's reputation, harming investor and consumer confidence. 

Even in the face of these ominous threats, firms continue to woefully underfund cybersecurity. The recent Cisco Cybersecurity Readiness Index highlights how only 3% of organizations have the "mature" level of readiness needed to be resilient against cyber threats. 

So, if CEOs want to prevent their firm from being the next victim of a high-profile deepfake scam, they need to double cybersecurity funding immediately. Relying on the government to do this for them only increases their exposure to the risk that deepfakes pose. With healthier financing, corporations can roll out authentication tools, AI identification systems, and content watermarking to properly insulate themselves from the deepfake threat. 

**About the Author(s)**

Founder & CEO, artius.iD

Michael Marcotte is one of the world’s pre-eminent experts in digital identity, cybersecurity, and business intelligence technology. He joined EchoStar, the multibillion-dollar satellite communications firm, in 2006, and was Global CIO, Global CDO, and president (Hughes Cloud Services). He was one of the very first people to serve as chief digital officer of a major international corporation. Michael left EchoStar in 2014 and currently is the founder and CEO of digital authentication firm artius.iD. He has applied his expertise at a range of firms in technology, cybersecurity, and venture capital. He is also co-founder of the National Cybersecurity Center (NCC) and was founder and chairman of the NCC's Rapid Response Center Board. He has been a senior adviser for several heads of state and US senators.

Innovation, Not Regulation, Will Protect Corporations From Deepfakes

The AI security startup's platform will allow organizations to define appropriate AI usage and enforce security policies.

Source: Ole CNX via Shutterstock

The past two years have seen unprecedented interest in generative artificial intelligence (AI), with companies across all industries integrating capabilities into their products and services. Organizations are adopting these tools to work faster and more efficiently. However, these AI applications also pose security challenges for organizations, with heightened risks of leaks of customer data and intellectual property. They also expand organizations' attack surface, potentially exposing them to malicious data injection and other AI-driven attacks.

This evolving threat landscape sets the stage for Apex, an AI security company that came out of stealth yesterday. Apex's security platform provides organizations with visibility of their AI activities. Organizations can define what AI usage should look like within their environments and enforce security policies accordingly. The platform can detect violations to company policies, as well as detect and respond to attacks, the company said.

The platform also includes a secure portal through which users can interact securely with the organization's AI tools. Apex works with public generative AI tools such as ChatGPT and Gemini, copilots such as the one from Microsoft, and the organization's own custom AI applications.

Founded in 2023, Apex currently has a few trials with Fortune 500 companies, the company told Reuters. Apex's co-founders are Matan Derman (CEO) and Tomer Avni (CPO).

As part of the launch, Apex raised $7 million in seed funding from Sequoia Capital, Index Ventures, and angel investors, including Sam Altman, CEO of OpenAI. The company plans to use seed funding for product development, grow its team, and go-to-market activities.

**About the Author(s)**

Source

DARKReading