Melissa Hathaway, a former White House cybersecurity adviser, says Biden is pushing through more regulatory reforms than previous administrations.

Lack of transparency with third-party suppliers is companies' biggest cyberthreat, says CIGI's Melissa Hathaway.Source: Harvard Kennedy School Belfer Center

Melissa Hathaway hasn't shied away from advising corporate boards and government leaders on cybersecurity policy since leaving the White House a decade ago. Hathaway, a former National Security Council Cybersecurity Chief, served in two administrations, leading the Comprehensive National Cybersecurity Initiative for President George W. Bush, and launching President Barack Obama's Cyberspace Policy Review.

Currently a member of the Centre for International Governance Innovation's board of directors, Hathaway recently spoke about current digital risks at a CIGI conference last month. Hathaway also provides consulting services as president of Hathaway Global Strategies, and most recently, was tapped by data protection vendor Commvault to chair its newly formed Cyber Resilience Council. During a meeting in New York City, Hathaway shared her views on the latest global cybersecurity threats from China and Russia, and the impact of the war in Israel.

Dark Reading: How would you compare today's threat landscape to when you were working for the White House over a decade ago?

Hathaway: Ransomware is on the rise, and it has become very sophisticated. Now you can encrypt 50 terabytes of data in less than five minutes, and all an intruder needs is one path in. A lot of really destructive, malicious software is being developed, and proof pointed over in Ukraine, such as the wiper virus attacks that we saw against Viasat. You're also starting to see the infections of low-level botnets capable of high-volume distributed denial service attacks. I'd say, though, the biggest problem is that companies don't have enough transparency into the dependencies of their third-party suppliers. The path into most of the companies right now, if it's not an unpatched system, is through their third-party suppliers.

DR: Such as software supply chain vulnerabilities?

Hathaway: Yes, but it doesn't have to be just that. It could be the trusted supplier who didn't patch their own infrastructure and they're the pathway in not just the product that was bad, like what we're dealing right now with Cisco IOS.

DR: What's your take on President Biden's approach to cybersecurity?

Hathaway: The new White House strategy is focused a lot on making companies more responsible for not only their product and introducing secure development lifecycle, but also making them more responsible for their governance and enterprise risk management. And that's been needed for more than a decade. I think that this administration is really focused on making corporates responsible.

DR: Would you say this White House is doing more than previous administrations?

Hathaway: They're just taking a different approach. The Biden administration is focused on a regulatory approach which previous administrations never took.

DR: And do you think that's a good thing?

Hathaway: In 2010 I wrote that there was an important moment for the SEC, FCC, and FTC to own their authorities to get to resilience. But I think that there's a challenge when you have all the regulators going in different directions. It puts an undue cost on industry. And so there has to be some harmonization of the regulatory frameworks that the administration is pushing. But that's difficult to do. One, it requires strong leadership and understanding of how the government works. Two, it requires getting those regulators to potentially cooperate and coordinate, and they don't necessarily have it within their remit to do that. And then third, you have to decide which problem you want to solve first, second, and third.

DR: With the current policies that are being laid out and proposed, to what effect do you think the outcome of the next presidential election could change those policies if there is a change in administrations?

Hathaway: You have the new SEC Rule and it took almost 13 years to get that rule in place. If another administration were to come in, regardless of party, and wanted to change direction, it would be very difficult to change the regulations and the laws in this country. A new president could come up with another executive order or policy, but those are very difficult. I mean, it's easy to write, but then it's all about the execution. And there's really no penalties associated with those, even within the government.

DR: What are your concerns about China as a threat?

Hathaway: They are a leading cyber power and probably have more manpower of meeting their overall national objectives than we do in the US or anywhere. Part of that is a percentage of the population, but they have made it a strategic priority as part of their five-year plan, and as part of their overall strategies.

Among their strategies, they are using one industrial espionage \[element\] that was featured on 60 Minutes just two weeks ago, with the Five Eyes. Industrial espionage has been going on for more than a decade, and they're continuing to move that path forward.

Through the Belt and Road Initiative, they are positioning their national champions for the delivery of telecom, data services, and other things. And they are one of the leading providers in the Global South. And that's all part of their economic strategy and changing some of the global, I would say world order of things.

They're also leading in central bank digital currencies. They saw Bitcoin as an opportunity, and they started their policy development and experimentation with it more than about a decade ago. And now they've since rolled out a CBDC \[central bank digital currency\], and they have more than 300 million people using it. If you start to think about that \[as\] a transition in the financial services systems around the world, they've got an interbank digital currency exchange that's outside of the US dollar through the CBDCs. And so, they have a longer-term strategy.

DR: What can policymakers do about that?

Hathaway: We have to look at Russia, China, Iran, \[and\] North Korea in different lenses. They are worthy opponents. And it's not like they're second rate, they're actually all first rate in different categories. And that requires us to think about things differently. Some of the initiatives of the Biden administration are important, like secure development lifecycle, which means your code better be good. We've got too many bad products in the market that are easily exploitable. We need to really be thinking about the next generation standards — we lost on 5G, are we going to lose on 6G too? And that requires us to really think about international standards differently.

I think we also need to be thinking about what are some of the cases that we're going to have to be thinking about — when you move to 5G and you're moving to the cloud, and you've got autonomous everything, you're going to have edge compute — that's going to have a whole very different set of policies on that data movement, from my driverless car to your driverless car, and what's processing them at the edge, so neither of us will have a problem. We're not really addressing that security, the data security, data privacy, the data movement, and this edge processing that's going to go forward. That requires us to really think about a different architecture about resilience, safety, privacy, and security. And that conversation I don't really think has started in our country, and we need to start it now.

DR: Has the war in Israel already changed the equation of the threat landscape?

Hathaway: Absolutely. I think things are unstable. It adds three things: First, you're starting to see new malicious software being developed and I would say swift synthetic media, deep fakes, and other things. It's causing a lot of confusion, but there's a lot of experimentation happening from a lot of groups, not just Hamas or Hezbollah — there's a lot of experimentation happening with, I would say, the malicious activities' disinformation as well as malicious software.

I think second, we're going to see a supply chain disruption of the Israeli IT and cyber industry that I don't think we've thought through what's going to happen. As you mobilize 300,000 reservists, some of which are in that industry, some of these industry providers are going to have a slowdown or a disruption. So, we have to think through that.

Israel is a leading innovator in some of these things; I think that there's going to be a supply chain disruption coming because they are a leader in IT.

Third, I just worry about the overall stability of the region; we've got a lot of geopolitical instability \[and\] too much around the world right now.

DR: Obviously, there are a lot of Israeli cybersecurity companies or even companies like Microsoft, Check Point, Google, and many others.

Hathaway: Well, you have the tech innovation center at Beersheba, but then you have a very large IT tech cyber industry in Israel that serves and works and partners with all Silicon Valley, and Seattle, Boston, and such. So, I think that there's going to be a disruption that we need to anticipate because this war is not going to be done anytime soon.

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Ex-Cybersecurity Adviser to Bush, Obama Weighs in On Current Admin

PRESS RELEASE

TEL AVIV, Israel, Nov. 29, 2023 (GLOBE NEWSWIRE) -- Piiano, the leading data protection company, today announced Piiano Flows, the industry’s first privacy-centric static code analyzer. The company will offer free scans until the end of 2023.

High-profile data leaks, including Duolingo’s PII leak in late August, underscore the critical importance of data protection for businesses on a global scale. Flows automatically and continuously analyzes source code throughout development processes and tracks when, where and how sensitive data are being used and stored. This enables security teams to shift data security left with a more proactive approach. Piiano’s tool finds potential data leaks inside source code and ensures that sensitive information, such as Personally Identifiable Information (PII), credentials and financial information, are protected before faulty code reaches production.

“Security leaders want to focus more on data security during development, but don’t have the right tools to do so at scale and see what’s happening with data in their code. Data vulnerabilities are even harder to hunt down after faulty code reaches production, which is why our tool nips the problem at the source,” says Gil Dabah, co-founder and CEO of Piiano.

Image shows sensitive data statistics gathered by analyzing a code repository.

Developers are expected to work at a rapid pace and under a great deal of stress. Compounded by a lack of security expertise and orientation, they are prone to making errors through little fault of their own that can expose data at the code level–such as forgetting to remove debugging logs or inadvertently exposing sensitive data through public or third-party APIs.

According to Justinian Fortenberry, CISO at Etsy and a board advisor to Piiano, “Piiano Flows is a very powerful and straightforward solution that, for the first time, enables enterprises to save time identifying potential data leaks during and after the application development process.”

Dabah likens Flows to a “SAST-type tool for proactive DPSM.” The company’s proprietary NLP ML model and taint analysis algorithms – a more accurate approach than more commonly used Large Language Models (LLMs) – maps and highlights any code that touches sensitive data, including incoming, outgoing and stored data, to help find data privacy and security issues and blind spots that can happen in runtime.

Flows, available for free, is designed for quick and easy use with an intuitive interface for security teams. To eliminate third-party risk, it only requires access to code itself without ever accessing production environments or production data stores containing sensitive customer data.

About Piiano

Piiano provides a data protection platform for app-sec and engineering teams to secure sensitive customer data and ensure their privacy – even in the event of a breach. Enterprises can scan their source code to find data leaks and similar data exposure issues and remediate them by securing the sensitive data by using its data protection APIs. With Piiano’s building blocks, engineers and security leaders can save significant time, effort and resources while achieving true security without slowing down.

Code Scanner by Piiano Helps Enterprises Prevent Data Leaks Proactively

PRESS RELEASE

HERZLIYA, Israel, Nov. 29, 2023 /PRNewswire/ -- XM Cyber, the leader in hybrid cloud exposure management, today announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments. Kubernetes Exposure Management helps security teams protect critical assets running in Kubernetes clusters across public cloud, private cloud, and on-premises infrastructure.

The new solution delivers continuous visibility into vulnerabilities, risky permissions, and misconfigurations that could allow attackers to breach Kubernetes environments and access valuable data and applications. By extending XM Cyber's industry-leading XM Attack Graph Analysis™ to Kubernetes, organizations can now see integrated risks across hybrid environments and intelligently prioritize remediation based on potential impact to critical assets.

"We are early adopters of XM Cyber's new Kubernetes features in order to achieve full transparency into our customer environments", said Moritz Tuerk, Chief Product Owner Security for SAP Product Engineering. "With the comprehensive attack path view, we can enhance the security of the SAP cloud even further than what is currently possible."

Key benefits of XM Cyber's Kubernetes Exposure Management include:

*   360-Degree Visibility: Gain a comprehensive view of risks and excessive permissions across all Kubernetes assets.
    
*   Protection for Sensitive Resources: Ensure the security of vital Kubernetes resources like ConfigMaps and Secrets.
    
*   Cross-Environment Analysis that reduces remediation efforts: Perform multi-step attack modeling, risk assessment, and prioritization that considers the needs of multiple domains.
    
*   Rapid Time-to-Value: Initial deployment can be completed in hours to unlock actionable exposure insights from day one.
    

Security issues have caused 67% of companies to delay or slow down Kubernetes deployment. XM Cyber's Kubernetes Exposure Management capabilities are aimed at helping security teams tackle this emerging risk vector head-on.

"Kubernetes adoption is accelerating, but securing these highly complex environments remains a huge challenge," said Boaz Gorodissky, CTO at XM Cyber. "Our new Kubernetes Exposure Management equips security teams with the comprehensive visibility and automated control they urgently need to reduce attack surfaces and proactively protect critical container workloads."

To learn more about XM Cyber, please visit: https://xmcyber.com/solution-briefs/kubernetes-continuous-exposure-management/.

About XM Cyber

XM Cyber is a leading hybrid cloud exposure management company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, Asia Pacific and Israel.

You May Also Like

XM Cyber Launches Kubernetes Exposure Management to Intelligently Protect Critical Container Environments

PRESS RELEASE

EAST BRUNSWICK, N.J., Nov. 29, 2023 -- 1Kosmos, the company that unifies identity proofing and passwordless authentication, today announced the 1Kosmos BlockID platform now enables organizations to seamlessly extend web-based identity proofing sessions to a user's mobile device for scanning government issued documents. 

This new capability does not require a mobile application, and creates a frictionless web user journey by eliminating the need for a separate application to capture identity documents and meet identity assurance level (IAL) requirements. Unique to 1Kosmos is the use of a privacy by design architecture where personal information is accessible only upon user consent.

To enable fast and easy identity proofing from the web, without downloading a mobile application, 1Kosmos BlockID connects a browser to a session accessing the camera on a user's mobile device for document verification. It also validates the authenticity of government identity documents with issuing authorities and triangulates personal data from driver’s licenses, passports, national IDs, and more. In addition, 1Kosmos BlockID challenges the user to take a live selfie to ensure they are a real person and matches their selfie with the images scanned from the documents. 

“Traditional identity verification journeys performed on the web require users to install a mobile app for scanning government issued documents,” said Huzefa Olia, Co-Founder and COO for 1Kosmos. “For organizations that prefer an app-less experience, 1Kosmos BlockID eliminates the need for a dedicated app, while providing the flexibility to embed and customize document-based identity proofing across different platforms and end user journeys to suit their identity assurance and security requirements.” 

Cross Platform Identity Proofing

Like the 1Kosmos mobile app, the new app-less web based identity verification capabilities enable users to capture high quality images of government issued documents through mobile devices. 1Kosmos BlockID provides the following capabilities and benefits for implementing identity verification journeys across platforms:

*   Creates separate “verification sessions” for identity proofing with any type of document including driver’s license, passport, National ID and more
    
*   Provides a standalone web client that can extract identity data and validate the authenticity of the document template 
    
*   Offers an interface to define risk thresholds for decisioning on liveness, selfie match, etc. 
    
*   Supports integration with third party providers to validate authenticity of documents and data 
    
*   Enables administrators to review the result from the extraction of documents and data along with a recommendation from 1Kosmos on the status of verification (i.e., Pass or Fail) 
    
*   Enables organizations to build custom user verification journeys via the 1Kosmos control plane
    
*   Provides pre-deployment testing via proofing URLs
    
*   Includes built-in support for internationalization 
    
*   Meets W3C Web Content Accessibility Guidelines
    

Availability

The unified web and mobile identity verification capabilities are available immediately in the 1Kosmos BlockID platform.  

About 1Kosmos BlockID

The 1Kosmos BlockID platform verifies user identity for straight-through onboarding of customers, workers and citizens. It creates a reusable digital wallet for high assurance authentication into digital services and instant validation of end-user qualifications, competencies, authority, and more. A unique privacy-by-design architecture centered around a private and permissioned blockchain eliminates centralized honeypots of end user personal identifiable information (PII), simplifying compliance to privacy mandates such as GDPR and providing organizations tamper evident verification to always know the identity behind devices accessing applications, data and services. BlockID has attained certification to NIST 800-63-3 and UKDAIF via Kantara, FIDO2 and iBeta’s PAD Level 2 guidelines. It is delivered as a stand alone or embedded cloud service or via a managed service as a Credential Service Provider for residents.

About 1Kosmos

1Kosmos enables remote identity verification and passwordless multi-factor authentication for workers, customers and residents to securely transact with digital services. By unifying identity proofing, credential verification and strong authentication, the BlockID platform prevents identity impersonation, account takeover and fraud while delivering frictionless user experiences and preserving the privacy of users’ personal information. BlockID performs millions of authentications daily for government agencies and some of the largest banks, telecommunications, higher education and healthcare organizations in the world. The company is funded by Forgepoint Capital and Gula Tech Adventures with headquarters in East Brunswick, New Jersey. For more information, visit www.1kosmos.com and follow us  on X and LinkedIn.

1Kosmos Unifies Identity Verification User Journeys Across Web and Mobile Platforms

Black Hat speaker and 13-year-old ethical hacker Marco Liberale talks about his interest in cybersecurity, and what opportunities he has in Saudi Arabia.

Marco Liberale on stage at Black Hat Middle East and Africa.Source: Luke Hallewell from Informa at Black Hat Middle East and Africa

Younger speakers and researchers often garner plenty of interest at cybersecurity conferences, and these teenage stars often gain a following after it is over. Marco Liberale, a 13-year-old from Saudi Arabia who recently presented at the Black Hat Middle East and Africa on the subject of navigating ransomware, is likely no exception having taught himself lockpicking at 3; Python coding at 5; and malware writing shortly after that.

Liberale received praise for his presentation, in particular by researcher and Boom Supersonic CISO Chris Roberts, who said Liberale showed "how to write it, build it, design it, deploy it, and remediate systems against being taken over by it" — it being ransomware.

Dark Reading met with Liberale and his mother, Caterina Carna, to understand more about how this industry snagged his interest, and what's in store for the phenom going forward.

Marco Liberale on stage at Black Hat Middle East and Africa

How did you get interested in cybersecurity?

Marco: When I was three I was already interested in physical security, like locks and lock picking, then I learned Python when I was five and I kind of moved from there to cybersecurity. I made my first malware at the time; it was not very good though.

Was he lock picking from his crib?

Caterina: He was obsessed with chains and locks. He didn't want toys, he just wanted to go to hardware stores and buy locks and chains. My house was totally inaccessible to me because he was locking every room and I needed to ask him for permission to open it, but he was obsessed with this. But I always let him do it because I understood that there was something big inside him.

I just felt that I needed to support him as much as I could, and I let him know whatever he wanted to do to express himself in any possible way, but he was always attracted to security somehow.

How did you learn about cybersecurity, did you see it on TV and think that's something you want to do?

Marco: I mostly saw it on the news and stuff. I've always been interested in the security field and how people get in and how to stop people from getting in.

What about certifications, what are you doing now?

Marco: I study at Kings Interhigh online school, but I am way too young for most of the certifications. I'm still going to get Comptia Security+, I'm studying for that.

Are you finding a lot of opportunity to learn skills at events here?

Marco: I do have a lot of opportunities to do so. I've met a lot of people even like at KAUST \[the King Abdullah University for Science and Technology\]. There's a big IT field there as it is mostly focused on science and IT.

Do you have friends who are also doing this?

Marco: No, most kids my age are just playing soccer. That's what I've seen personally.

Do you have ambitions of where you want to do next, like study abroad, or work at certain companies?

Marco: I'm probably going to make a startup. I'm mostly self-taught in general, but I work with Chris \[Roberts\] a lot.

Caterina: We were here last year at the Black Hat conference and we met Chris, they got connected on LinkedIn and started to talk and during this conference this year, they did a talk together on the main stage. They had a lot of fun here and Chris is one of the most generous people I've ever met.

Do you look at people in the industry who inspire you?

Marco: Not that much. I don't have many inspirations, I mostly just work on my stuff. I don't really like getting inspired by other people.

How did you get to be involved in this conference?

Caterina: Marco met with Ed Sleiman, who is the head of cybersecurity at KAUST, and Ed recognized his talent. So Ed brought him to the Black Hat conference last year, connected us with the organizers and they were pretty excited about having a young speaker like that. He did a talk on OSINT, and this year they invited him to present again.

Do you have any plans for the future?

Marco: Now, I don't have any plans, I want to see what I can learn.

**About the Author(s)**

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

How a Teenage Saudi Hacker Went From Lockpicking to Ransomware

PRESS RELEASE

SANTA CLARA, Calif., Nov. 27, 2023 — Fortanix® Inc., a leader in data security and pioneer of Confidential Computing, today announced Key Insight, a new industry-first capability in the Fortanix Data Security Manager TM (DSM) platform designed to help enterprises discover, assess, and remediate risk and compliance gaps across hybrid multicloud environments. At AWS re:Invent 2023, Fortanix will showcase the capabilities of Key Insight at booth #118.  
Data breaches lead to massive monetary losses, hefty penalties and severe brand damage. While traditional firewall and cloud security defenses shield the perimeter, the data itself remains vulnerable. Encryption is the final line of defense, but enterprises lack robust control over encryption keys, leading to significant risk. Enterprises need to fortify security beyond just its perimeter layers and are driving the paradigm shift towards a rigorous, data-centric security model with complete visibility and control over its encryption assets.  
According to a Gartner® report, “It is critical to understand if access to data and encryption keys by the CSP, by internal staff, or if the data residency locations across CSP platforms will create business impacts due to security or compliance risks.”  
Fortanix Key Insight is the first and only solution to provide consolidated insights and control of all cryptographic keys to protect critical data services. Security, cloud and developer teams can collaborate to assess risk posture and remediate compliance gaps consistent with policies, regulatory mandates, or industry standards (e.g., NIST, GDPR, PCI, etc.). Key Insight expands the power of Fortanix DSM, a unified data security platform for enterprise key management, data tokenization, secrets management, and more.   
“Key Insight provides a unique combination of discovery, assessment and remediation of encryption keys and cloud data services in one Enterprise Key Posture Management (EKPM) solution, helping enterprises prevent data breaches and failed regulatory audits,” said Anand Kashyap, co-founder and CEO at Fortanix. “Key Insight is aligned with our value statement – ‘Look. Know. Further.,’ by allowing companies to look across siloed encryption environments, know their data security risk posture, and go further with complete control of their data, including remediation.”   
Fortanix Key Insight offers several innovations to enhance data security:

*   Discover all encryption assets and provide a detailed mapping between encryption keys and data services in an intuitive and easy-to-understand dashboard  
    
*   Assess data security risk posture through visual heatmaps that quickly pinpoint risks, gaps and priorities against established policies, regulations and industry standards
    
*   Remediate gaps in policy and compliance to eliminate risk to achieve crypto agility at scale, with robust reporting to demonstrate continuous improvements over time  
    

“As the global leader in AI-based advanced imaging for healthcare applications, Rapid AI is fully committed to security, compliance, processes and technologies to protect its platform and sensitive patient data, especially in the cloud,” said Amit Phadnis, CTO of Rapid AI. “In this endeavor, awareness and proper management and remediation, where necessary, of encryption keys is of prime importance. Any tool that helps ease our encryption keys posture management would be desirable for our security and compliance teams.”    
“Organizations can ill afford data breaches and non compliance of globally proliferating privacy regulations," said Craig Gledhill, CEO of ACA Pacific. "Data encryption is crucial for protecting data, but equally crucial is the ability to pinpoint blind spots and remediate risks and compliance gaps. It is in this regard that the introduction of Fortanix Key Insight can be of great help to our customers in their quest for multicloud data security and compliance."  
This latest addition to Fortanix DSM adds another industry first to the platform’s robust list of capabilities, which include enterprise key management, data masking/tokenization, secrets management, code signing, and confidential AI and confidential data search.

Announcing Fortanix Key Insight — A Solution to Discover and Remediate Data Security Risks in Hybrid Multicloud Environments

The booster station shut off its automated system and moved to a manual system once the alarms sounded the breach.

Source: Zoonar GmbH via Alamy Stock Photo

This past weekend, the Aliquippa Municipal Water Authority, located in Pittsburgh, experienced a cyberattack after one of its booster stations was hacked by an Iranian-backed cyber group. 

The threat group, known as Cyber Av3ngers, hacked a system known as Unitronics, which has components that are Israeli-owned. The technology that monitors water pressure at the station shut down during the attack and a message appeared on the screen reading: "You Have Been Hacked. Down With Israel, Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target."

The booster station that was attacked "monitors and regulates pressure for Raccoon and Potter Townships" according to Matthew Mottes, chairman of the board of directors for the Municipal Water Authority of Aliquippa, though he has stressed that there is no current risk to the drinking water or water supply.

The automated system was immediately shut down and operations resumed manually. CISA is now investigating the attack, and there are concerns about further attacks on critical infrastructure within the United States, in general.

According to the cyber group's profile on X (formerly known as Twitter), it has claimed responsibility for several attacks globally, including 10 Israeli water treatment stations in the wake of the Gaza war, though these cyberattacks haven't been verified.

"Given that critical infrastructure sectors like water and wastewater are increasingly targeted by nation-state threat actors seeking to cause disruption, it is crucial for organizations to stay ahead of the curve," stated Mark Toussaint, senior product manager and operational technology (OT) expert at OPSWAT, in an email. "We know the White House has initiated executive orders and national plans to bolster cybersecurity, and industry-specific regulators are publishing cybersecurity guidelines, but in the face of evolving cyber threats, it is imperative for organizations to take a proactive and comprehensive perimeter defense strategy."

Cyberattack on Pennsylvania Water Authority Disrupts OT Gear

The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.

Source: PREMIO STOCK via Shutterstock

For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it.

**Integer Overflow Bug**

The latest zero-day, which Google is tracking as CVE-2023-6345, stems from an integer overflow issue in Skia, an open source 2D graphic library in Chrome. The bug is one of seven Chrome vulnerabilities for which Google issued a security update this week.

The company's advisory contained sparse details on CVE-2023-6345 beyond mentioning the fact that an exploit for it is publicly available. A brief description on NIST's National Vulnerability Database (NVD) site described the flaw as affecting versions of Chrome prior to 119.0.6045.199 and allowing a remote attacker who has "compromised the renderer process to potentially perform a sandbox escape via a malicious file." The NVD identified the bug as a high-severity issue.

Google credited researchers at its Threat Analysis Group for finding and reporting CVE-2023-6345 on Nov. 24.

The vulnerability is the seventh zero-day that Google has rushed to patch amid active exploit activity this year and is the latest manifestation of growing attacker interest in Chrome and other browsers.

**A Flood of Browser Zero-Days**

Since the beginning of this year, Apple, Google, Microsoft, and Firefox have all disclosed multiple critical vulnerabilities in their respective browsers, including a handful of zero-days. In some instances, a bug in some widely used component affected multiple browsers at once, as was the case with CVE-2023-4863, a zero-day heap overflow in WebP, a code library common to Chrome, Apple Safari, and Mozilla Firefox. In other instances, as with CVE-2023-5217, a zero-day bug in Chrome impacted multiple browsers based on Chromium technology, such as Microsoft Edge, Opera, Brave, and Vivaldi.

There were also multiple zero-days that Apple disclosed separately this year in its WebKit browser engine for Safari, including CVE-2023-28205 and three others in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Both Microsoft and Mozilla have also separately reported other critical bugs in their respective browsers.

It is unclear which threat actor might be currently exploiting CVE-2023-6345, the bug that Google disclosed this week, or why. But in recent months, Google and Apple have warned about vendors of commercial surveillance products exploiting zero-day bugs in their respective browser technologies to drop spyware on Android, iOS, and other mobile devices. Google discovered CVE-2023-4863 after researchers at Apple and Toronto University Citizen Lab informed the company about a commercial vendor using the flaw to drop Predator spyware on Android and iOS devices.

**Ubiquitous Use**

Much of the growing attacker interest in browsers has to do with their ubiquitous use, says Lionel Litty, chief security architect at Menlo Security. The exploding use of Web applications has resulted in users spending most of their time on browsers for everything from accessing applications and webpages to additional content such as PDFs and other documents. Adding to this is the drive by Google to integrate even more features into its browser and make it a replacement for fat client technologies, Litty says. This includes enabling access to USB devices, Bluetooth, and even the GPU through the WebGPU interface.

"Despite all the care taken by Google engineers, we continue to see a steady stream of security issues that are exploitable, including many zero-days that are actually exploited," he says.

The fact that multiple browsers are based on Chromium is another reason for attackers targeting the technology, Litty notes. "Developing an exploit against Chrome usually means that it will work against all browsers, save Safari and Firefox, allowing bad actors to target more victims without any additional work."

Saeed Abbasi, manager of vulnerability and threat research at Qualys, points to similar reasons for Chrome's growing popularity among threat actors. "Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors," he says.

More generally, browser vulnerabilities present significant risks for organizations, Abbasi says. Attackers can use browser bugs to sneak malware and spyware into an organization. Additionally, attackers might exploit these weaknesses to steal login credentials and other data for potential future attacks.

"To mitigate risks from browser vulnerabilities, organizations should prioritize regular updates and patch management to keep browsers up to date," Abbasi notes. "Implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Google Patches Another Chrome Zero-Day as Browser Attacks Mount

A vulnerability in the file server and collaboration platform earned a 10 in severity on the CVSS, allowing access to admin passwords, mail server credentials, and license keys.

Source: John Williams RF via Alamy Stock Photo

Hackers are actively exploiting a critical flaw in the open source ownCloud platform that allows access to access admin passwords, mail server credentials, and license keys, exposing their enterprise to data breaches or other types of malicious activity.

The flaw, tracked as CVE-2023-49103 and disclosed by ownCloud on Nov. 21, earned the top score of 10 out of 10 on the CVSS severity rating due to its ease of exploitation. It arises from a flaw in the "graphapi" app used in ownCloud, a file server and collaboration platform that enables secure storage, sharing, and synchronization of commonly sensitive files.

Researchers from GreyNoise observed what they characterized as "mass exploitation" of the flaw in the wild starting as early as Nov. 25, with at least 40 unique IP addresses seen trying to exploit the flaw so far, according to the current data shown on its tracker.

Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, characterized the initial exploitation observed by GreyNoise as attackers "pretty much spraying it across the Internet to see what hits," in an online discussion on Tuesday.

The Shadowserver Foundation also is tracking exploitation of the flaw, having observed more than 11,000 exposed instances, with most of those located in Germany, the US, France, and Russia.

The app affected by the flaw is present in ownCloud versions 0.2.0 to 0.3.0. "This app utilizes a third-party library that will reveal sensitive PHP environment configurations, including passwords and keys," Thorpe wrote in the post.

It's important to note that only by patching can those affected mitigate the issue, as even disabling the app does not entirely resolve it, according to GreyNoise. The flaw affects both containerized and non-containerized ownCloud instances, although Docker containers from before February 2023 are not vulnerable to the credential disclosure, the researchers noted.

Moreover, the vulnerability is just one of three that ownCloud revealed last week, all of which allow attackers to breach data in deployments of the platform, the researchers noted. The other two are an authentication bypass flaw tracked as CVE-2023-49105 and a critical flaw related to the oauth2 app tracked as CVE-2023-49104.

"Organizations using ownCloud should address these vulnerabilities immediately," GreyNoise recommended.

**Top CVSS Rating**

OwnCloud is used by nearly 1 million organizations worldwide to manage and share data through a self-hosted platform, replacing the use of online services such as Dropbox to share files throughout an organization. Theoretically this makes enterprise file transfers more secure than sending them over a public cloud, except of course if the deployment of ownCloud is being exploited.

That's the current case of the critical flaw in graphapi, which relies on a third-party library that provides a URL which, when accessed, reveals the configuration details of the PHP environment, according to ownCloud.

These details include all the environment variables of the Web server, which in containerized deployments "may include sensitive data such as the ownCloud admin password, mail server credentials, and license key," according to ownCloud.

In its fix, ownCloud deleted the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabled the phpinfo function docker-containers to remedy the flaw. The company also plans to harden various aspects in future core releases to mitigate similar vulnerabilities.

In addition to applying the fix, ownCloud also recommended that companies change the following secrets in their deployments: ownCloud admin password, mail server credentials, database credentials, and object-Store/S3 access-key.

**Other Flaws to Consider**

While not quite as severe as the graphapi flaw, the two other flaws recently discovered by ownCloud also are rated as critical and deserve attention, the company said.

CVE-2023-49105, rated as 9.8 on the CVSS, allows for attackers to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing key configured, which is the platform's default configuration.

The flaw affects the ownCloud "core" app versions 10.6.0 – 10.13.0 and can be fixed by denying the use of pre-signed URLs if no signing key is configured for the owner of the files.

CVE-2023-49104, meanwhile, affects the ownCloud oauth2 app versions before 0.6.1 and allows someone to pass in a specially crafted redirect URL that bypasses the validation code. This, in turn, allows the attacker to redirect callbacks to an attacker-controlled top-level domain.

The flaw is rated as 9 on the CVSS and can be mitigated by hardening the validation code in the oauth2 app. A workaround that also fixes the flaw is to disable the "Allow Subdomains" option, according to ownCloud.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw

Guy Tytunovich, founder and CEO of CHEQ, says the days of a one-size-fits-all consent strategy are gone. Consider a two-pronged approach and use smart consent management technology to adapt to differing regulations.

Source: Formatoriginal via Alamy Stock Photo

COMMENTARY

Five years since the European Union's General Data Protection Regulation (GDPR) took effect, its fingerprints are everywhere: from proliferating privacy laws worldwide to the now-ubiquitous consent banners seen across websites of every kind. For multinational businesses, the GDPR isn't the only compliance hurdle on the horizon. Take, for example, the forthcoming enforcement of new privacy regulations like the California Privacy Rights Act (CPRA).

Businesses weren't ready for GDPR, and many still aren't. So, what now?

**The Consent-Compliance Gap: How Businesses Are Falling Short**

Data privacy awareness has increased among businesses since 2018, but many still struggle with compliance. The issue isn't just understanding the law but also enforcing it effectively. Many companies assume that simply using consent banners or consent management platforms (CMPs) ensures compliance. But all too often, these tools only provide an illusion of compliance, lacking crucial technical capabilities such as consent and preference enforcement.

The rapidly evolving patchwork of global and local privacy laws can also create confusing contradictions. Different jurisdictions have different requirements for obtaining and documenting consent. They may require different technical capabilities, such as real-time preference enforcement or the recognition of global opt-out preference signals. For example, the GDPR requires explicit consent, while other laws, such as the upcoming CPRA, accept implied consent in certain instances.

This leads to the consent-compliance gap. In this situation, businesses invest in and set up a consent tool, thinking they've fulfilled their compliance duties, yet they remain noncompliant in the eyes of the law.

**It's About to Get More Complicated**

In the five years since GDPR arrived, it's served as a model for data protection laws worldwide, inspiring legislation such as the California Consumer Privacy Act (CCPA), Brazil's General Data Protection Law, and China's Personal Information Protection Law (PIPL). Today, more than 130 nations have enacted privacy legislation, and in the United States, 12 states have enacted privacy laws, with six more in various stages of legislation.

In 2023 alone, four US privacy laws entered enforcement including The Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA). CPRA, an updated version of the CCPA, also entered partial enforcement this year. State-level privacy laws also passed in Delaware Indiana, Iowa, Montana, Oregon, and Texas.

These laws, while similar in many ways, have distinct requirements that make managing consent across jurisdictions even more complicated.

Here's where things get tricky. GDPR requires clear, affirmative consent. But the CPRA, CPA, and CTDPA don't necessarily need that "yes" from users before collecting data. Instead, it's enough to offer users an easy way to say "no." This "opt-out" model changes the game and makes crafting a one-size-fits-all consent strategy near impossible.

What does this mean for businesses that operate in multiple locations? They need to play by the toughest rules — the GDPR's "opt-in" — while also offering California users the "opt-out" choice. And let's not forget, it's not just about these two laws. With over 130 countries having their own privacy laws, businesses could face a whirlwind of different, sometimes conflicting, rules to follow.

This situation calls for a two-pronged solution. On the technical side, businesses need smart consent management technology that can adapt to different regulations. It should be able to serve specific consent banners based on user location, catering to the unique requirements of each region.

On the organizational side, there's a need for constant vigilance and updating. Privacy laws are evolving creatures, with changes and new regulations popping up regularly. Businesses must keep their fingers on the pulse of these changes and adapt their consent management practices accordingly.

In essence, navigating the maze of global privacy laws isn't just about knowing the rules. It's about having the right tools to applying these rules and the commitment to staying updated on the ever-changing landscape of data privacy laws.

**Compliance Is a Constant Effort in an Evolving Global Privacy Landscape**

For the first few years of the GDPR, enforcement actions were few and far between as regulators established precedents in the courts and codified the rules of the regulation. This led many businesses to take a "wait and see" approach to consent and cookie compliance or to do the bare minimum necessary to appear compliant. Today, that approach won't cut it.

As of June 2023, the EU regulators have handed out billions in fines, which relate directly to consent management. One of the largest GDPR fines to date, a €746 million (US$786 million) judgment against Amazon in July 2021, was brought down because the tech company had been using an implied consent model on its EU properties.

Meanwhile, consumer awareness and expectations around data privacy are on the rise. Some 62% of European consumers consider privacy a concern, according to an IAPP survey. Privacy is no longer a mere compliance issue; it's a cornerstone of brand reputation and customer trust. Businesses demonstrating a commitment to privacy can leverage it as a competitive advantage, attracting privacy-conscious consumers and fostering stronger customer relationships.

But to gain that trust, privacy and consent management cannot be a "set it and forget it" initiative; businesses must make a constant, conscious effort to meet evolving requirements and new technologies such as global privacy signals. Five years on, GDPR plays a key role in shaping this landscape, but it's just one piece of an increasingly complex puzzle.

**About the Author(s)**

Founder & CEO, CHEQ

Guy Tytunovich is the founder and CEO of CHEQ, the leader in Go-to-Market Security. Guy is a veteran of the Israeli Military cybersecurity and intelligence units and a founder of numerous tech companies in the space.

Source

DARKReading