Unsophisticated attackers can pinpoint where a person lives by lifting metadata from Strava and other apps, even if they're using a feature specifically aimed at protecting their location information.

Fitness apps such as Strava leak sensitive location information of users, even when they've used in-app features to specifically set up privacy zones to hide their activity within specified areas, researchers have found.

Two PhD students from KU Leuven in Belgium have discovered that if a person is starting his or her activity from home, an attacker with limited skills can use high-precision API metadata revealed in the app to pinpoint their home location, even if they've set up what's called an "endpoint privacy zone" (EPZ) for that area.

Moreover, despite contacting the companies with apps leaking this data, the problem is still largely unsolved, the researchers, Karel Dhondt and Victor Le Pochat, said. They plan to present their findings at Black Hat Asia in a session called "A Run a Day Won't Keep the Hacker Away: Inference Attacks on Endpoint Privacy Zones in Fitness Tracking Social Networks." Dhondt and Pochat previously presented the work and its accompanying paper at the ACM Conference on Computer and Communications Security (CCS) 2022 last November.

People use fitness apps like Strava to keep track of and share data about their fitness activity — such as running, cycling, or walking. From within the app, they can set and reach fitness goals, as well as compete or fitness train virtually with friends, among other uses.

However, this data, if it falls into the wrong hands, can be used against them to locate where they live or where they frequently conduct their fitness activity, leading to potential physical harm. In 2017, this scenario came to light when researchers revealed that Strava shared secret Army base locations when personnel on active duty shared their fitness activity to the app, potentially exposing them and their military activity to enemies and putting them at physical risk.

**When App Privacy Isn't Private**

In response to this revelation, Strava and other fitness apps added privacy features — called EPZs in Strava, but which has other names in other apps. These allow users to hide portions of their route around sensitive locations, such as their homes or offices, and only track activity once they've left those defined areas.

Specifically, EPZ in Strava is a circular area that someone can configure to hide traces of activity that occur within it. Other apps covered in the research that have similar features include Garmin Connect, Relive, Komoot, Map My Tracks, and Ride With GPS.

Dhondt and Le Pochat—a cyclist and a runner, respectively—are fitness-app enthusiasts themselves and embarked on their investigation out of their own personal interest. They knew that in theory, EPZs within Strava should protect location data about these sensitive locations from being revealed to app users, or anyone else viewing their activity data.

But that's actually not the case, they found. The researchers successfully constructed a cyberattack using distance information leaked in activity metadata, street grid data, and the locations of the entry points into the EPZ, they revealed in their research. These results allowed them to use regression analysis to predict protected locations of users even when they had set up privacy zones to hide them.

"In the metadata there is the distance value of the entire track — including the parts that are supposed to be hidden inside the privacy zone," Dhondt explains in an interview with Dark Reading. "The distance that has been covered inside the privacy zone has been leaked."

Using this metadata combined with maps of the local area, the researchers could make predictions about where other users ended or started their activity, thus where they live or work, he says.

Moreover, the attack itself is unsophisticated, meaning that anyone with a simple developer tool that can examine API data from Web server communications can view the leaked data, the researchers say.

"It's not like they have to forge API calls or alter ways they communicate with Strava," Dhondt says. "Whenever Strava draws the map of wherever the person went running or cycling, the high-precision API data is already there. You can use a developer tool and easily inspect network traffic. The data is just one keystroke away."

**Devising the Attack**

Researchers conducted their research using data from users worldwide and experimented to see if their attack worked in both sparsely populated or densely populated areas. It turns out that it does, but of course it's much easier to pinpoint locations in areas where there are only a few houses or other buildings, the researchers say.

Moreover, setting up a larger EPZ reduced the attack performance and success rate, while geographically dispersed activities in sparser street grids yield better attack performance. "In rural or sparse areas, if you have a privacy zone of 200 meters with only a couple of houses in the zone, it's easier to pinpoint location," Dhondt says.

In terms of the data collected and examined, the researchers conducted random, large-scale data scraping of 4,000 users and 1.4 million Strava activities in various worldwide locations over a month-long period. Their results for Strava found that the attack discovers the protected location for up to 85% of EPZs, thus only protecting 15% of users who set up these zones.

**Mitigation & (Lack of) Response **

The researchers responsibly disclosed their findings to all of the companies whose apps they investigated, as well as offered a number of ways that issues can be resolved. However, so far, only Strava has responded to researchers beyond thanking them for the disclosure, and the two are in ongoing discussions with the fitness app provider for potential mitigations.

Still, the companies don't seem particularly interested in applying mitigations, citing diminished user experience if the proposed fixes were applied, the researchers said.

"They were reluctant to apply any of our recommendations because they felt like it would negatively impact the utility for their users," Dhondt says. However, while this may be true of the some of the proposed fixes, it's not true of all of them, he says.

One mitigation, for instance, calls for the apps to minimize the accuracy of the data revealed in APIs used in network communications. In Strava, the data in the user interface about the distance traveled is rounded down with 10-meter accuracy, and the distance traveled within the privacy zone is shown rounded down with 100-meter accuracy. However, both distances are provided in the API with 0.1 meter accuracy, Le Pochat says.

Therefore, "the lower the accuracy of the reported distances in the API, the lower the success rate \[of the attack\] would be," Dhondt says.

The researchers also suggest that the apps could help the users choose the size of their privacy zone given the area in which they live and whether it's densely populated or not, which would be a relatively easy fix to do, they say. They also suggest using non-circular, less-typical shapes to create the zone to make it more difficult to pinpoint the location, which the Kommut app already does.

To be fair, though, some of the suggested mitigations do take away from the user experience of the app, the researchers acknowledge. Among these are suggestions to shift the distance slightly by taking it from the start and adding it to the end, and another to cut off the start and finish in the privacy zone from the distance measured in the app so no one could track where a user had been during their route.

"People use these apps to track their performances, so they might not like that," Dhondt says. "They take away from some of the fun and attraction of these apps."

Overall, the researchers say, Strava and other fitness-app providers have to balance the usability and functionality of these apps and decide what's more important.

"It's a difficult decision whether you prioritize privacy, which reduces the amount of data and reduces the functionality, or prioritize the functionality of the app," Le Pochat says. "Sometimes you have to make tradeoffs and give away privacy to gain functionality."

Popular Fitness Apps Leak Location Data Even When Users Set Privacy Zones

Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.

Popular attacks for a trio of critical vulnerabilities kept exploitation at the top of the list of initial-access methods in 2022, while the war between Russia and Ukraine resulted in an unprecedented volume of attacks from a specific group of threat actors.

That's according to the annual M-Trends report from Google Cloud's Mandiant, published on April 18, which highlights that a few global incidents can dramatically affect the overall threat landscape. 

The volume of attacks used in the Russia-Ukraine conflict, for example, resulted in the government sector's rise to the top of the list of targeted industries, accounting for 25% of all attacks investigated by Mandiant, up from 9% in 2021, when government agencies ranked sixth on the list. Meanwhile, about 36% of incidents investigated by Mandiant included the use of software exploits, with four out of every nine of those attacks targeting a vulnerable version of Log4j, the open source logging library.

Significant events — such as the Log4j patch effort — can have massive, albeit temporary, effects on the threat landscape, says Luke McNamara, a principal analyst with Mandiant.

"You have this ... massive spike in these methods as the initial infection vector, but a lot of it was ... the impact of one singular incident," he says, comparing the impact to the surge in supply chain attacks in 2021 due to the compromise of SolarWinds. "It's not necessarily indicative that this is going to be a large-scale trend that we're gonna see more and more of, but just something that impacts the threat activity for that given year."

Similarly, Russia's war against Ukraine had a dramatic impact on the threat landscape for more than year, Google Cloud stated in the report. A cyber-espionage group, UNC2589, and another group linked to Russian military intelligence, APT28, conducted extensive information collection and disinformation operations prior to Russia's February 2022 invasion of Ukraine. Now the threat groups appear to alternate information gathering and espionage campaigns with destructive attacks.

In the first four months of the war, the Mandiant group recorded more destructive attacks against Ukrainian organizations than in the previous eight years, according to the report.

"The invasion of Ukraine represents one of the first instances in which a major cyber power has conducted disruptive attacks, espionage, and information operations concurrently with widespread, kinetic military operations," the Mandiant report stated. "Mandiant has never observed threat actor activity that matches the volume of attacks, variety of threat actors, and coordination of effort as was seen during the first months following the invasion by Russia."

**A Few Good Flaws**

Those attacks — and the threat landscape more generally — relied on a handful of initial access methods. Overall, 80% of the incidents investigated by Mandiant typically used a software exploit, phishing attacks, stolen credentials, or leveraged a prior compromise, the report stated. The exploitation of known vulnerabilities was the most popular initial access vector, accounting for 32% of incidents where the initial compromise could be determined, while phishing accounted for 22% and stolen credentials for 14%.

    

Exploits accounted for about a third of initial attacks, with more than 80% enabled by three vulnerabilities. Source: M-Trends 2023

Among exploits, three vulnerabilities made up the lion's share of the attacks. The primary vulnerability in Log4j (CVE-2021-44228) accounted for the largest portion (44%) of known exploits, but along with two other vulnerabilities — one affecting F5's Big-IP (CVE-2022-1388) and another affecting VMware's Workspace One Access and Identity Manager (CVE-2022-22954) — the trio accounted for nearly 90% of exploits.

Because all three vulnerabilities are often accessible remotely, attackers scan for them regularly, McNamara says.

"Targeting and exploiting perimeter devices that are accessible via the internet — things like firewalls, virtualization solutions, VPN — those are highly sought after targets for attackers," he says. "We saw this with Ukraine because \[threat groups\] leverage a lot kind of 'living on the edge,' as we put it, where they've used edge and perimeter network devices to come back in when they've been kicked out multiple times from a given organization."

**More External Detections, Less Dwell Time**

In another trend, the share of incidents discovered internally shrank in 2022, with 37% incidents detected by the targeted company and 63% of incidents disclosed to the target by a third party. The share of incidents not detected by a company's internal security teams has grown in every geography, slowly in the Americas, but much more quickly in the Asia-Pacific region (APAC) and the Europe, Middle East, and Africa (EMEA) regions.

Yet despite the more significant role played by third parties in attack detection, dwell time has decreased to 16 days in 2022, down from 21 in 2021. The debate is whether the decrease is due to defenders detecting attacks more quickly or attackers ending an attack with a destructive — and obvious — payload, Google Cloud's McNamara says.

"Really, the last two, three, four years, we've seen more and more disruptive activity, as the extortion space has become more multifaceted," he says. "Trying to kind of tease out how much of that is due to organizational maturity — organizations are getting better at catching threat actors — and how much of it is due to ... the nature of the activity itself is difficult."

However, while the median dwell time is 16 days, ransomware investigations are only seeing a median dwell time of nine days, whereas it's 17 days for non-ransomware investigations.

The cyber conflict between Russia and Ukraine also impacted the dwell time, according to Mandiant's report, as external intelligence agencies and companies notified Ukrainian organizations of breaches.

"The increase in external notification observed in 2022 is likely impacted by Mandiant’s investigative support of cyber threat activity which targeted Ukraine and an increase in proactive notification efforts," the report stated. "Proactive notifications from security partners enable organizations to launch response efforts more effectively."

3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022

Combined solutions expected to deliver complete API visibility and security coverage across all of the OWASP API top 10 attacks.

**CAMBRIDGE, Mass.****,** **April 19, 2023** **/PRNewswire/ --** Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today announces that it has entered into a definitive agreement to acquire Neosec, an API detection and response platform based on data and behavioral analytics.

Neosec's API security solution will complement Akamai's market leading application and API security portfolio by dramatically extending Akamai's visibility into the rapidly growing API threat landscape. The combination is designed to make it easy for customers to secure their API's by helping them discover all of their APIs, assess their risk, and respond to vulnerabilities and attacks.

"With rapidly accelerating digital transformation, APIs are the new frontier for digital business and the enablement of critical business functions," said Mani Sundaram, executive vice president and general manager, Security Technology Group, Akamai Technologies. "Enterprises expose full business logic and process data via APIs, which, in a cloud-based economy, are vulnerable to cyberattacks. Neosec's platform and Akamai's application security portfolio will allow customers to gain visibility into all APIs, analyze their behavior and protect against API attacks."

The combined API solutions are expected to put Akamai at the forefront of a critical emerging category of API security for which customers are actively seeking support. The rapidly growing global market for API security solutions is driven by the proliferation of APIs and the associated increase in cybersecurity threats. API-based architectures and microservices are the core of every application developed today, from B2B to web and mobile applications, and therefore are a primary target for attackers. Additionally, regulatory compliance laws such as FFIEC, SOC, GDPR, HIPAA and PCI DSS require enterprises to strengthen their security measures on APIs.

"What sets Neosec apart from other API security providers is the complete visibility into all API activity and the use of behavioral analytics that detect threats others miss," said Giora Engel, co-founder and chief executive officer, Neosec. "Unlike other solutions, Neosec delivers rich, XDR-like API visibility combined with detection and response capabilities that enable full investigation and threat hunting. Ultimately, Akamai customers will have a better view into all of their API activity, to identify vulnerabilities and threats before they are exposed, and detect attacks in runtime."

Neosec, headquartered in Palo Alto, California and Tel Aviv, Israel, is a privately funded company. Neosec's employees, including co-founder and CEO, Giora Engel, and co-founder and chief technology officer, Ziv Sivan, are expected to join Akamai's Security Technology business.

The acquisition is expected to close in the second quarter of 2023. For the fiscal year 2023, the acquisition is anticipated to be slightly dilutive to non-GAAP EPS by approximately $0.04 to $0.06 and is not expected to add any material revenue. On its next quarterly earnings call currently scheduled for May 9, 2023, Akamai plans to provide first quarter financial results and full year 2023 financial guidance including any expected impact from Neosec.

For more information, visit the Akamai application and API security page.

**About Akamai**

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away. Learn more about Akamai's security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.

**Akamai Statement Under the Private Securities Litigation Reform Act**

This release contains statements that are not statements of historical fact and constitute forward-looking statements for purposes of the safe harbor provisions under The Private Securities Litigation Reform Act of 1995, including, but not limited to, statements about expectations, plans and prospects of Akamai. Actual results may differ materially from those indicated by these forward-looking statements as a result of various important factors including, but not limited to, the failure of our investments in innovation to generate solutions that are accepted in the market; effects of competition, including pricing pressure and changing business models; impact of macroeconomic trends, including economic uncertainty; conditions and uncertainties in the geopolitical environment; continuing supply chain and logistics costs, constraints, changes or disruptions; defects or disruptions in our products or IT systems, including cyberattacks, data breaches or malware; failure to realize the expected benefits of any of our acquisitions or reorganizations; changes to economic, political and regulatory conditions in the United States and internationally; delay in developing or failure to develop new service offerings or functionalities, and if developed, lack of market acceptance of such service offerings and functionalities or failure of such solutions to operate as expected, and other factors that are discussed in our Annual Report on Form 10-K, quarterly reports on Form 10-Q, and other documents periodically filed with the SEC. In addition, the statements in this press release and on our quarterly earnings conference call represent Akamai's expectations and beliefs as of the date of this press release. Akamai anticipates that subsequent events and developments may cause these expectations and beliefs to change. However, while Akamai may elect to update these forward-looking statements at some point in the future, it specifically disclaims any obligation to do so. These forward-looking statements should not be relied upon as representing Akamai's expectations or beliefs as of any date subsequent to the date of this press release.

**Use of Non-GAAP Financial Measures**

In addition to providing financial measurements based on generally accepted accounting principles in the United States of America (GAAP), Akamai provides additional financial metrics that are not prepared in accordance with GAAP (non-GAAP financial measures). Management uses non-GAAP financial measures to understand and compare operating results across accounting periods, for financial and operational decision making, for planning and forecasting purposes, to measure executive compensation and to evaluate Akamai's financial performance. The non-GAAP financial measure used in this release is non-GAAP net income per diluted share.

Management believes that this non-GAAP financial measure reflects Akamai's ongoing business in a manner that allows for meaningful comparisons and analysis of trends in the business, as it facilitates comparing financial results across accounting periods and to those of our peer companies. Management also believes that this non-GAAP financial measure enables investors to evaluate Akamai's operating results and future prospects in the same manner as management. The non-GAAP net income per diluted share metric may exclude expenses and gains that may be unusual in nature, infrequent or not reflective of Akamai's ongoing operating results.

This non-GAAP financial measure does not replace the presentation of Akamai's GAAP financial results and should only be used as a supplement to, not as a substitute for, Akamai's financial results presented in accordance with GAAP. For historical non-GAAP measures, Akamai has provided a reconciliation of each non-GAAP financial measure used in its financial reporting and investor presentations to the most directly comparable GAAP financial measure. These reconciliations can be found under the caption "Reconciliation of GAAP to Non-GAAP Financial Measures" on the Investor Relations section of Akamai's website.

Akamai provides forward-looking statements in the form of guidance during its quarterly earnings conference calls.  This guidance is provided on a non-GAAP basis and cannot be reconciled to the closest GAAP measure without unreasonable effort because of the unpredictability of the amounts and timing of events affecting the items we exclude from non-GAAP measures. For example, stock-based compensation is unpredictable for Akamai's performance-based awards, which can fluctuate significantly based on current expectations of future achievement of performance-based targets. Amortization of intangible assets, acquisition-related costs and restructuring costs are all impacted by the timing and size of potential future actions, which are difficult to predict. In addition, from time to time, Akamai excludes certain items that occur infrequently, which are also inherently difficult to predict and estimate. It is also difficult to predict the tax effect of the items we exclude and to estimate certain discrete tax items, like the resolution of tax audits or changes to tax laws. As such, the costs that are being excluded from non-GAAP guidance are difficult to predict and a reconciliation or a range of results could lead to disclosure that would be imprecise or potentially misleading. Material changes to any one of the exclusions could have a significant effect on our guidance and future GAAP results.

Akamai's definition of the non-GAAP measure used in this press release is outlined below:

Non-GAAP net income per diluted share – Non-GAAP net income divided by weighted average diluted common shares outstanding. Diluted weighted average shares outstanding are adjusted in non-GAAP per share calculations for the shares that would be delivered to Akamai pursuant to the note hedge transactions entered into in connection with the issuances of $1,150 million of convertible senior notes due 2027 and 2025, respectively. Under GAAP, shares delivered under hedge transactions are not considered offsetting shares in the fully-diluted share calculation until they are delivered. However, the company would receive a benefit from the note hedge transactions and would not allow the dilution to occur, so management believes that adjusting for this benefit provides a meaningful view of operating performance. With respect to the convertible senior notes due in each of 2027 and 2025, unless Akamai's weighted average stock price is greater than $116.18 and $95.10, respectively, the initial conversion price, there will be no difference between GAAP and non-GAAP diluted weighted average common shares outstanding.

Non-GAAP net income – GAAP net income adjusted for the following tax-affected items: amortization of acquired intangible assets; stock-based compensation; amortization of capitalized stock-based compensation; acquisition-related costs; restructuring charges; amortization of debt discount and issuance costs; amortization of capitalized interest expense; certain gains and losses on investments; income and losses from equity method investment; and other non-recurring or unusual items that may arise from time to time.

The non-GAAP adjustments, and Akamai's basis for excluding them from non-GAAP financial measures, are outlined below:

*   Amortization of acquired intangible assets – Akamai has incurred amortization of intangible assets, included in its GAAP financial statements, related to various acquisitions Akamai has made. The amount of an acquisition's purchase price allocated to intangible assets and term of its related amortization can vary significantly and is unique to each acquisition; therefore, Akamai excludes amortization of acquired intangible assets from its non-GAAP financial measures to provide investors with a consistent basis for comparing pre- and post-acquisition operating results.
*   Stock-based compensation and amortization of capitalized stock-based compensation – Although stock-based compensation is an important aspect of the compensation paid to Akamai's employees, the grant date fair value varies based on the stock price at the time of grant, varying valuation methodologies, subjective assumptions and the variety of award types. This makes the comparison of Akamai's current financial results to previous and future periods difficult to interpret; therefore, Akamai believes it is useful to exclude stock-based compensation and amortization of capitalized stock-based compensation from its non-GAAP financial measures in order to highlight the performance of Akamai's core business and to be consistent with the way many investors evaluate its performance and compare its operating results to peer companies.
*   Acquisition-related costs – Acquisition-related costs include transaction fees, advisory fees, due diligence costs and other direct costs associated with strategic activities, as well as certain additional compensation costs payable to employees acquired from the Linode acquisition if employed for a certain period of time. The additional compensation cost was initiated by and determined by the seller, and is in addition to normal levels of compensation, including retention programs, offered by Akamai. Acquisition-related costs are impacted by the timing and size of the acquisitions, and Akamai excludes acquisition-related costs from its non-GAAP financial measures to provide a useful comparison of  operating results to prior periods and to its peer companies because such amounts vary significantly based on the magnitude of the acquisition transactions and do not reflect Akamai's core operations.
*   Restructuring charges – Akamai has incurred restructuring charges from programs that have significantly changed either the scope of the business undertaken by the Company or the manner in which that business is conducted. These charges include severance and related expenses for workforce reductions, impairments of long-lived assets that will no longer be used in operations (including right-of-use assets, other facility-related property and equipment and internal-use software) and termination fees for any contracts canceled as part of these programs. Akamai excludes these items from its non-GAAP financial measures when evaluating its continuing business performance as such items vary significantly based on the magnitude of the restructuring action and do not reflect expected future operating expenses. In addition, these charges do not necessarily provide meaningful insight into the fundamentals of current or past operations of its business.
*   Amortization of debt discount and issuance costs and amortization of capitalized interest expense – In August 2019, Akamai issued $1,150 million of convertible senior notes due 2027 with a coupon interest rate of 0.375%. In May 2018, Akamai issued $1,150 million of convertible senior notes due 2025 with a coupon interest rate of 0.125%. The imputed interest rates of these convertible senior notes were 3.10% and 4.26%, respectively. This is a result of the debt discounts recorded for the conversion features that, prior to January 1, 2022, were required to be separately accounted for as equity under GAAP, thereby reducing the carrying value of the convertible debt instruments. The debt discounts were amortized as interest expense. On January 1, 2022, Akamai adopted the new guidance for accounting for convertible instruments. This new guidance eliminated separate accounting for the equity portion, and thus the amortization of the debt discount that was recorded as interest expense.  Prior to January 1, 2022, Akamai excluded this non-cash interest expense from its non-GAAP results because it was not representative of ongoing operating performance.  After January 1, 2022, this interest expense is no longer included in or excluded from GAAP or non-GAAP results. Additionally,  the issuance costs of the convertible senior notes are amortized to interest expense and are also excluded from Akamai's non-GAAP results because management believes the non-cash amortization expense  is not representative of ongoing operating performance.
*   Gains and losses on investments – Akamai has recorded gains and losses from the disposition, changes to fair value and impairment of certain investments. Akamai believes excluding these amounts from its non-GAAP financial measures is useful to investors as the types of events giving rise to these gains and losses are not representative of Akamai's core business operations and ongoing operating performance
*   Income and losses from equity method investment – Akamai records income or losses on its share of earnings and losses from its equity method investment. Akamai excludes such income and losses because it does not have direct control over the operations of the investment and the related income and losses are not representative of its core business operations.
*   Income tax effect of non-GAAP adjustments and certain discrete tax items – The non-GAAP adjustments described above are reported on a pre-tax basis. The income tax effect of non-GAAP adjustments is the difference between GAAP and non-GAAP income tax expense. Non-GAAP income tax expense is computed on non-GAAP pre-tax income (GAAP pre-tax income adjusted for non-GAAP adjustments) and excludes certain discrete tax items (such as recording or releasing of valuation allowances), if any. Akamai believes that applying the non-GAAP adjustments and their related income tax effect allows Akamai to highlight income attributable to its core operations.

Akamai Technologies to Acquire API Security Company Neosec

MFA isn't immune from the tug of war between attackers and defenders.

It's a well-known and statistically proven fact that password-only credentials pose the highest cyber-risk to people and organizations. Passwords are easily compromised through a wide variety of attacks, such as social engineering and phishing, and often packaged and sold online.

With the widespread adoption of remote work both during and post-pandemic, the need for tighter security created an inflection point for organizations to finally adopt multifactor authentication (MFA) solutions. MFA has been around for decades, and there are abundant options in the marketplace suitable for every industry and organization. But while MFA is inherently more secure than password-only credentials, not all MFA solutions are created equal, and each must be properly configured and managed to prevent attackers from circumventing them.

The premise of MFA is that by requiring "multiple factors" for authentication — a combination of something you know, something you have, something you are and something you do — it makes the job of an attacker with, say, just a stolen password much harder. Unfortunately, when MFA is based on two weaker factors — such as a password (something you know and can easily remember) and a mobile push notification (delivered to something you have, like a mobile authenticator app) — it can still be compromised. For example, a bad actor might use a dictionary attack to obtain a password and then, upon encountering a verification step using MFA, employ push notification phishing to bombard and trick the user into approving the repeated requests. This technique is commonly referred to as MFA fatigue and was recently used by a teenager to perpetrate a successful attack on Uber.

**Phishing-Resistant MFA**

The good news is that there are phishing-resistant MFA solutions based on standards by the Fast Identity Online (FIDO 2.0) suite of specifications, which includes support for passwordless authentication. In addition, there are hardware-based options such as smart card standards and specifications based on the efforts of the Secure Technology Alliance.

Many MFA solutions employ biometrics for a "something you are" authentication factor. The beauty of biometrics is that they possess these fundamental characteristics, which are:

*   **Universal:** Every person using a system or application can be expected to possess the feature (e.g., face, finger, voice)
*   **Unique:** Every person has unique, different, and distinguishable aspects of the feature (e.g., facial features, fingerprint ridges and valleys, voice tone and intonation)

*   **Permanent:** The feature is reasonably stable, permanent, and invariable over time to perform matching
*   **Collectable:** The feature set can be acquired, measured, and processed with ease during capture
*   **Defendable:** The feature can be defended from abuse, misuse, theft, imitation, and substitution
*   **Performant:** The feature, when combined with matching and liveness detection, performs with accuracy, speed, scale, and ease of use
*   **Adoptable:** The population expected to use their personal features are willing adopters and enrollers

**The Deepfake Problem**

Leaving aside the criticisms of biometrics (over bias, collection, misuse, privacy, and surveillance), threat actors are now using presentation attack types such as deepfakes and spoofing to get around them. While it might sound like something right out of a movie script, in recent years financial institutions and banks have experienced unprecedented fraud during new account creation, loan applications, payments, and transaction disputes. These and other highly regulated industries are legally required to perform identity proofing and verification processes referred to as "electronic know your customer" (eKYC). Unfortunately, not only do many legitimate applicants fail to complete the proofing and verification process due to its complexity, but bad actors have been impersonating real people and using synthetic data seek to "mask" their identities in fake documents and during biometric enrollment.

Fortunately, deepfakes and spoofing can be thwarted through techniques (such as passive liveness detection) that are undetectable by bad actors. There are several third-party-testing and -certifying labs that not only validate vendor solutions but will also validate the implementation of the solution to ensure it is deployed effectively. And just last month, the third edition of the "Handbook of Biometric Anti-Spoofing" was released, which has been updated with broader coverage of presentation attack detection (PAD) methods for a range of biometric modalities, including face, fingerprint, iris, voice, vein, and signature recognition.

There is no question that MFA provides organizations with a significant upgrade in protection over passwords. Like most cybersecurity technologies, however, MFA isn't immune from the continual tug of war between attackers and defenders. Organizations need to think carefully about which solution they choose and how it's implemented, to avoid falling victim to the latest threats.

How to Prevent 2 Common Attacks on MFA

Risk quantification research finds healthcare, manufacturing, and utilities suffer long-term financial impact from major cyberattacks.

**ARLINGTON, Va. – April 18, 2023 –** **ThreatConnect, Inc**, maker of leading threat intelligence operations (TI Ops) and risk quantification solutions, announced today the release of the company's first risk quantification report, which assessed the financial impact of ransomware attacks on small ($500M), medium ($1.5B) and large ($15B) organizations within healthcare, manufacturing, and utilities. 

"With the National Cyber Strategy coming out of the White House focusing on decreasing cyber risk from critical infrastructure and the new SEC Cyber Proposals, organizations across industries are now being tasked with reporting on cyber risk," said Jerry Caponera, GM of Risk Quantification, ThreatConnect. "Organizations are finally waking up to the fact that the impact of ransomware and other cyber attacks is more than just a moment in time. The financial implications are far-reaching and create barriers for companies to continue operations after these attacks."

In this new report, ThreatConnect examined thousands of companies in the healthcare, manufacturing, and utility industries.  Analyzing tens of thousands of losses from around the world, ThreatConnect estimated median hits to operating incomes. Cyber losses can impact a current fiscal year but can also linger and impact current and future fiscal years as costs, including legal fees, settlements, and brand damage, can take time to materialize. 

The staggering results point to the need to continuously quantify cyber risk and prioritize investments in monetary terms. Potential losses due to cyber attacks shift on a regular basis based on changes in attack surface, investments in security defenses, and an evolving business landscape. Because of these changes, it’s important to measure enterprise risk on a continuous basis.

**Healthcare:** 

Healthcare organizations are under constant threat of attack as ransomware groups target the industry in an effort to reap quick financial gain. Due to public backlash, some ransomware threat groups stated that they would avoid conducting similar attacks in the future on hospitals and healthcare facilities that put patients’ lives in jeopardy. Despite these claims, healthcare facilities are still highly targeted by ransomware groups, stopping operations and putting patient lives in danger.  As one of the most highly regulated industries, healthcare is still behind the curve when it comes to having a solid cybersecurity posture. 

**Manufacturing:**

According to a recent IBM report, manufacturing was the most targeted sector for ransomware cyber-attacks and the most extorted industry in 2022. Ensuring that systems and processes are running optimally is critical to the success of manufacturing companies, the economic success of nations, and consumers who depend on the goods produced for everyday life. Ransomware attacks on manufacturing companies tend to cause operational disruptions, which can cascade through supply chains and into the broader economy. 

**Utilities:**

Hackers are increasingly exploiting utility companies that provide the energy needed to power our economies and enable most of what we use daily.  Ransomware attacks, such as that on Colonial Pipeline in the US and Volue ASA in Norway, show an increasing trend where hackers target the smaller and medium-sized utility companies they perceive as easier targets. President Biden’s National Cyber Strategy will increase regulation on utility companies in an attempt to mitigate the increasing threat of a catastrophic cyber attack.

Read the full report at:  

**About ThreatConnect**

ThreatConnect enables security operations and threat intelligence teams to work together for more efficient, effective, and collaborative cyber defense and protection. With ThreatConnect, organizations infuse threat intelligence and cyber risk quantification into their work, allowing them to orchestrate and automate processes to respond faster and more confidently than ever before. More than 200 enterprises and thousands of security operations professionals rely on ThreatConnect every day to protect their most critical systems. Learn more at

Cyberattacks Can Cost Enterprises Up to 30% of Operating Income According to ThreatConnect

1Password research reveals consumers are fed up with passwords; education, access, and validation will drive passwordless adoption.

**TORONTO****,** **April** **18,** **2023** **/PRNewswire/** **—** 1Password, the leader in human-centric security and privacy, today released its _Preparing for a Passwordless Future_ report. The report revealed a strong consumer appetite for easier-to-use login experiences. Despite relatively low awareness of passwordless technology—which aims to relegate passwords to a thing of the past—65% of consumers report they'd be open to using new technology that makes their lives simpler. Passkeys, the newest and most secure passwordless technology, are poised to do just that, transforming our online lives by making logging in simpler to navigate and far more secure.

"Convenience shouldn't come at the expense of security," said Jeff Shiner, CEO of 1Password. "Technology should make our lives easier, but logging into the apps and services we use daily has become extremely complicated. It's time to push for solutions that provide great user experience without sacrificing security. People are already interested in passwordless technology; ongoing education on how passkeys are good for security, revenue, and usability will unlock a new, safer, and more enjoyable passwordless era."

**Fed Up with Passwords**  
Four in five consumers (80%) say they care about their online privacy and actively take measures to protect it. It's clear that they also believe we can do better than passwords for both security and ease.

*   **Safety first:** 77% of consumers would love a more secure way to log in to accounts.
*   **Login exhaustion:** 70% say having to remember or reset their passwords is a regular annoyance.

**Beleaguered by Breaches**  
Bad password hygiene is responsible for the countless security breaches. In fact, 82% of breaches **involve a human element** — including phishing attacks, stolen credentials, and errors. However, the transition to passkeys will render these types of attacks obsolete and help reassure the nine in 10 consumers (91%) worried about data breaches.

*   **Pervasive phishing:** Phishing attacks, or fake texts and emails that bait consumers into sharing their credentials with hackers, affect all of us. Everyone (100% of consumers) either received phishing messages or know someone who did in the past year.
*   **Fake friends:** People say they're most susceptible to phishing attacks purporting to come from their bank (43%), a friend (41%), or their spouse (39%). Just 25% say they're likely to fall for a phishing message that looks like it's coming from their boss.

**Passwordless Curious**

Despite just a quarter of consumers (25%) reporting that they've heard the term 'passwordless', they're intrigued by the concept, with 58% signaling interest in signing in without a password.

*   **Preference for passkeys:** When shown an example of passkeys, three in four (75%) indicate they'd consider using them—with nearly one in five (19%) saying they'd start using passkeys as soon as they're available.
*   **Calibrating comfort:** Consumers are at least somewhat open to trying passwordless logins for less risky accounts—rising to 82% for one-time "throwaway" accounts, 81% for workplace accounts, and 77% for retail accounts. Conversely, 58% are at least somewhat open to using passwordless logins for financial accounts.
*   **Biometrics boom:** 87% of those already using biometrics are open to using passkeys, compared to 57% of those not using biometrics.

"Passwordless technology brings great benefits for companies and their customers alike—making it easier to securely access online services while greatly reducing fraud and user frustration," said Andrew Shikiar, executive director and CMO of the FIDO Alliance. "This has been the mission of the FIDO Alliance since day one, with authentication experts from hundreds of companies, including 1Password, collaborating to make this vision a reality with passkey sign-ins."

To see the full report from 1Password, visit our website. For more information on the websites, apps, and services that offer passkeys support, visit https://passkeys.directory.

**About 1Password**

1Password's human-centric security keeps people safe, at work and at home. Our solution is built from the ground up to enable anyone – no matter their level of technical proficiency – to navigate the digital world without fear or friction. The company's award-winning security platform is reshaping the future of authentication, including passwordless. 1Password is trusted by over 100,000 businesses such as IBM, Slack, Snowflake, Shopify, and Under Armour and protects the most sensitive information of millions of individuals and families across the globe. The company's ultimate goal is to help consumers and businesses get more done in less time – with security and privacy as a given. Learn more at 1Password.com.

**Survey Methodology**

1Password conducted this research using an online survey prepared by Method Research and distributed by Dynata among n=2,000 adults ages 18+ in North America (n=1,400 US + n=600 Canada). The sample was equally split between gender groups with a balanced spread across age groups. A spread of geographies and race groups were included. Data was collected from January 25 to 31, 2023.

SOURCE 1Password

Report: Over Half of North American Consumers Are Open to Passwordless

The most common consequences were unplanned expenses, loss of competitive edge, and decreased sales.

**FRISCO, Texas, April 18, 2023** – Netwrix, a cybersecurity vendor that makes data security easy, today announced the release of its annual global 2023 Hybrid Security Trends Report. It reveals that 68% of organizations experienced a known cyberattack within the last 12 months. Nearly 1 in 6 (16%) of those organizations estimated the financial damage to be at least $50,000. What’s more, 40% of the breached organizations incurred unplanned expenses and 10% suffered other serious consequences, such as loss of competitive edge, decreased sales or customer churn.

To mitigate the risk of financial loss from data breach, organizations often opt to purchase cyber insurance. Indeed, the study found that 44% of organizations are insured and 15% plan to purchase a policy within the next 12 months. Nearly 1 in 4 (22%) of the organizations with a policy had to improve their security posture to even be eligible for the policy. 

“While cyber insurance has value, it’s vital to remember that it is no substitute for a strong security posture. After all, while an insurance payout can defray the financial impact of a security incident, no policy can restore an organization’s data, operations or reputation,” says Dirk Schrader, VP of Security Research at Netwrix.

The survey also reveals that on-premises infrastructures suffer more cyberattacks than the cloud. The starkest difference was for ransomware and other malware attacks, which were reported by nearly twice as many respondents for on-premises environments (37%) as for the cloud (19%). 

“On-prem environments are more vulnerable to attacks than software-as-a-service (SaaS) systems because they often have sprawling privileges on the infrastructure level. For example, users might have administrative rights on their computers and service accounts often have elevated rights. Malicious actors can abuse these standing privileges to spread malware quickly across on-premises systems,” says Dmitry Sotnikov, VP of Product Management at Netwrix.

Other survey findings include:

*   81% of organizations now use at least one cloud environment and more than a third (37%) of the remainder plan to adopt cloud technologies within 12 months.
*   Phishing is the most common attack vector: 73% of respondents suffered this type of cyberattack on premises and 58% experienced it in the cloud.
*   Account compromise attacks in the cloud continue to intensify, with 39% of respondents reporting it in 2023 compared to 31% in 2022 and just 16% in 2020.
*   Risk associated with an organization’s own employees was the top data security concern, cited by 58% of respondents.
*   The three main IT priorities for 2023 have remained the same since 2019: data security, network security and cybersecurity training.

“Understaffing of IT teams is the biggest challenge to ensuring data security, cited by half of respondents. Therefore, it is crucial to build a security architecture that reduces the workload for IT and security pros. Automating routine tasks, choosing mature security products that produce fewer false positive alerts, and relying on a select group of trusted vendors that have an extensive portfolio and a unified support team can help mitigate the shortage of security personnel,” says Dmitry Sotnikov.

**About Netwrix** 

Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect, respond to and recover from attacks, limiting their impact. More than 13,000 organizations worldwide rely on Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors: data, identity, and infrastructure.  

For more information, visit www.netwrix.com.

Netwrix Annual Security Survey: 68% of Organizations Experienced a Cyberattack Within the Last 12 Months

KnowBe4 releases Q1 2023 global phishing report and finds that more IT and online services related email subjects are utilized as a phishing strategy.

**Tampa Bay, FL (April 18, 2023) –** KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced the results of its Q1 2023 top-clicked phishing report. The results include the top email subjects clicked on in phishing tests and reflect the shift to IT and online service notifications such as laptop refresh or account suspension notifications that can affect end users’ daily work. 

Phishing emails continue to be one of the most common methods to effectively perpetuate malicious attacks on organizations around the globe. Cybercriminals are always refining their strategies to stay one step ahead of end users and organizations by changing phishing email subjects to be more believable. They prey on emotions and aim to cause distress or confusion in order to entice someone to click. Phishing tactics are changing with the increasing trend of cybercriminals using email subjects related to IT and online services such as password change requirements, Zoom meeting invitations, security alerts and more. These are effective because they would impact an end users’ daily workday and subsequent tasks to be completed.  

Holiday phishing email subjects were also utilized this quarter with incentives such as a change in schedule, gift card and spa package giveaway used as bait for unsuspecting end users. Tax-related email subjects became more popular as the U.S. prepared for tax season in Q1. 

"Cybercriminals are constantly increasing the damage they cause to organizations by luring unsuspecting employees into clicking on malicious links or downloading fake attachments that seem realistic," said Stu Sjouwerman, CEO, KnowBe4. "Emails that are disguised as coming from an internal source such as the IT department are especially dangerous because they appear to come from a more trusted, familiar place where an employee would not necessarily question it or be as skeptical. Building up an organization’s human firewall by fostering a strong security culture is essential to outsmart bad actors."

To download a copy of the Q1 2023 KnowBe4 Phishing Report infographic, visit here.  

**About KnowBe4**

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 56,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

KnowBe4 Phishing Test Results Reveal IT and Online Services  Emails Drive Dangerous Attack Trend

**ANNAPOLIS, Md.****,** **April 18, 2023** **/PRNewswire/ --** Marlinspike Partners, a venture capital investment firm focusing on disruptive dual-use technology companies advancing national security and commercial interests of the United States, today announced that Charles Carmakal has joined its Advisory Board.

With over 20 years of professional experience in cybersecurity, Charles is a one of the world's pre-eminent cybersecurity experts. He is currently CTO for Mandiant Consulting, where he oversees a team of incidence responders, analysts, and consultants that have helped thousands of organizations respond to complex security breaches orchestrated by foreign governments and organized criminals. Charles led the teams that discovered and responded to some of the most impactful security events, including the SolarWinds supply chain attack and the Colonial Pipeline cyber disruption. Charles provides strategic security guidance to executive leadership and boards of directors, helping Fortune 500 organizations build and enhance security programs to combat advanced cyberattacks.

"I am very excited to be joining Marlinspike's Advisory Board. Cybersecurity is an integral part of our nation's defense strategy. Marlinspike is investing in technologies that provide the United States with a technological edge and national security, and I am excited to contribute to the mission," said Carmakal.

"Cybersecurity challenges continue to be one of the most pressing issues for our nation's public and private sectors. We are very pleased to have world-class expert like Charles join our Advisory Board," said Mislav Tolusic, Managing Partner and CIO of Marlinspike. Neil Keegan, Managing Partner and CEO of Marlinspike, emphasized Carmakal's onboarding as part of a broader strategy to continue growing the Marlinspike Advisory Board with world-class experts.

**About Marlinspike**

Marlinspike is a venture capital investment firm, focusing on investing in disruptive dual-use technology companies advancing national security and commercial interests of the United States.

Marlinspike uses a private equity approach to investing, focusing on adding value and driving growth post-investment. A unique approach, an experienced management team, and dedication to the mission makes Marlinspike a preeminent dual-use technology investment firm.

SOURCE Marlinspike Partners LLC

Marlinspike Adds Charles Carmakal to its Advisory Board

An investigation concludes that NSO Group was hired in 2022 to deploy Pegasus spyware against human rights workers in Mexico and other targets.

Israeli spyware firm NSO Group is back with at least three new iOS 15 and iOS 16 zero-click exploit chains, which were used against human rights activists in Mexico and elsewhere across the world in 2022.

The Citizen Lab, an interdisciplinary research organization in Toronto focused on communications technologies, human rights, and global security, recently released the results of its investigation into NSO Group's recent activities.

The Citizen Lab team reported finding evidence that NSO Group was hired to use the exploit chains (known as PWNYOURHOME, FINDMYPWN, and LATENTIMAGE) to deploy Pegasus spyware against human rights groups in Mexico, including Centro PRODH, which represents families accusing the country's military of abuses.

"Our ensuing investigation led us to conclude that, in 2022, NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world," Citizen Lab's report said.

Apple has since issued a HomeKit security update in iOS.16.3.1, the The Citizen Lab added.

Citizen Lab recommends high-risk users use the iOS 16 feature known as "Lockdown Mode." With Lockdown Mode engaged, targets of PWNYOURHOME exploit chain were provided with real-time alerts.

"Although NSO Group may have later devised a workaround for this real-time warning, we have not seen PWNYOURHOME successfully used against any devices on which Lockdown Mode is enabled," Citizen Lab said.

The revelations come on the heels of Citizen Lab and Microsoft outing another Israel-based spyware organization, dubbed QuaDream, which was offering cyber espionage tools and services to international governments to monitor and spy on private individuals. Shortly after the expose, QuaDream said it was closing up shop.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading