CISA's recently released cybersecurity performance goals can help lower risk and thwart the impact of cyberattacks.

The message is simple, but important: Cover the basics.

In its recently released cybersecurity performance goals, the Cybersecurity and Infrastructure Security Agency (CISA) stressed the importance of taking steps to maintain computer system health and improve online security. The goals are important reminders of risk in the sectors the agency defines as critical infrastructure, because cyberattacks can disrupt and even shut down services that impact daily life. This occurred in the energy sector when Colonial Pipeline was attacked, and in the utility sector with an attack on a dam in New York.

The agency's goals, designed to supplement the NIST Cybersecurity Framework, establish a common set of fundamental cybersecurity practices that lower risk and thwart the impact of cyberattacks on critical infrastructure organizations. For example, there must be an acceptable level of security for customers' accounts so that unsuccessful logins are detected, future attempts are prevented, and suspicious activity is reported.

Another goal, device security, advocates an approval process before new hardware or software can be installed on a system; it also advises managing the inventory of system assets so administrators can detect and respond to vulnerabilities. Related to device security is the data security goal, which stresses the importance of collecting log data and securing sensitive information with encryption.

**Individual Users Represent the Greatest Vulnerability**

While these basic best practices are familiar to all practitioners in the cybersecurity industry, CISA elevated them because it recognizes that individual users represent the greatest vulnerability to networks. One lapse in cyber hygiene can have a lasting impact and cripple citizen services. Even though cyber threats are invisible, they can noticeably disrupt the food supply, water systems, healthcare, and financial systems with long-term consequences. CISA's promotion of the guidelines shows the need for continuous awareness of the threats in cyberspace, and the importance of avoiding the complacency that can lead to an operational shutdown.

Attackers employ social engineering scams to manipulate individual users into clicking suspicious links, as happened with the Operation Sharpshooter attack that infected 87 critical infrastructure organizations. Through these infected devices, hackers could have gained access to Internet-enabled industrial control systems (ICS) at manufacturing facilities or wastewater treatment plants, causing further disruption. Unlike home or enterprise networks in which restoring the network will usually put you back in operation, an interruption of a wastewater treatment plant may involve days or weeks of work to clean filters and incrementally bring operational functions back online.

In addition to the disruption to operations, there is the financial cost that bears consideration: In 2022, 28% of critical infrastructure organizations experienced a destructive or ransomware attack, costing an average of $4.82 million per incident.

CISA recognizes the state of ICS vulnerabilities, and it has performance goals for protecting those systems, too. Because many critical infrastructure facilities are privately owned, government and industry are working together to coordinate improvements in the security posture, and CISA has a leading role. ICS represents a particular challenge due to the complexity and age of many ICS systems and the underlying operational technology, however, it underscores the importance of overall cybersecurity with four reasons to embrace its guidelines:

*   Many organizations have not adopted fundamental security protections
*   Small and medium-sized organizations are left behind
*   Lack of consistent standards and cyber maturity across critical infrastructure sectors
*   Cybersecurity often remains overlooked and under resourced

As the Internet of Things (IoT) connects more devices, the attack surface of critical infrastructure will increase, likely raising the cost of successful attacks. In health care, which CISA considers critical infrastructure, Internet-enabled equipment poses a risk. If a hospital's systems are well protected, but a supplier didn't secure the code in its dialysis or magnetic resonance imaging machines, the hospital becomes vulnerable.

Implementing CISA's new cybersecurity goals takes a dedicated investment, business process improvement, and regular audit to improve cyber defenses. As attacks on hardware, software, and data become more sophisticated, so too must the defenses with continuous modernization of cyber technology. It requires collaboration between CISA and infrastructure providers that will benefit from the agency's mission of promoting cybersecurity awareness, defending against threats, and striving for a more secure and resilient infrastructure. CISA's emphasis on foundational steps to take for cybersecurity are foundational. It may seem like a step backward, but it's actually a consequential leap forward.

To Safeguard Critical Infrastructure, Go Back to Basics

At the inaugural CloudNativeSecurityCon, DevSecOps practitioners discussed how to shore up the software supply chain.

At the recent CloudNativeSecurityCon in Seattle, 800 DevSecOps practitioners gathered to address a myriad of software supply chain security issues, including the security of container images and the impact of zero trust on the software supply chain.

As of last year, there were 7.1 million cloud-native developers, 51% more than the 4.7 million 12 months earlier, Cloud Native Computing Foundation executive director Priyanka Sharma said in the opening keynote. "Everyone is becoming a cloud-native developer," Sharma said.

However, this rapid shift to cloud-native development can be a source of concern, since the rapid release cycles may lead to organizations not following secure lifecycle development (SDLC) practices, Sharma warned. Snyk's 2022 State of Cloud Security report found that 77% of organizations acknowledged that they have poor training and lack effective collaboration among developers and security teams.

"There are siloed teams often working in separate countries, time zones, using different tools, policy frameworks," Sharma said. "In the cloud-native environment, we are interacting with so many other entities. Throw in a lack of security policy, and there's the recipe for your security breach."

The lack of security policies is fueling an increase in vulnerabilities due to misconfigurations. An alarming 87% of container images running in production have critical or high-severity vulnerabilities, up from 75% a year ago, according to the Sysdig 2023 Cloud-Native Security and Usage Report. Yet only 15% of those unpatched critical and high vulnerabilities are in packages that are in use at runtime where a patch is available.

Sysdig's findings are based on telemetry gathered from thousands of its customers' cloud accounts, amounting to billions of containers. The high percentage of critical or high-severity vulnerabilities in containers is the outgrowth of the rush by organizations to deploy modern cloud applications. The push has created an influx of software developers moving to the more agile continuous integration continuous development (CI/CD) programming model.

Sysdig's report recommended filtering to isolate only the critical and highly vulnerable packages in use in order to focus on packages that present the most risk. Further, only 2% of the vulnerabilities are exploitable. "By looking at what has in use exposure, that is what is actually in use at runtime, and having the fix available will help teams prioritize," Sysdig threat researcher Crystal Morin wrote in the report.

**5 Elements of Zero Trust Implementation**

Sharma pointed to last year's Cost of a Data Breach report from IBM and Ponemon Institute, which showed that 79% of organizations have not moved to a zero-trust environment. "That is really not good," Sharma said. "Because almost 20% of breaches are occurring because of a compromise at a business partner. And keep in mind that almost half the breaches that occur are cloud-based."

A key barrier to instituting zero trust is environments where permissions are not under control. According to the Sysdig report, 90% of permissions granted are not used, creating an easy path for stealing credentials. According to the report, "teams need to enforce least privilege access, and that requires an understanding of which permissions are actually in use."

Zack Butcher, founding engineer at Tetrate and an early engineer on Google's service mesh project Istio, said creating a zero-trust environment isn't that complicated. "Zero trust itself isn't a mystery," Butcher told attendees. "There's a lot of FUD \[fear, uncertainty, and doubt\] around what zero trust is. It's fundamentally two things: people process and runtime controls that answer and mitigate the question, 'what if the attacker is already inside that network?'"

Butcher identified five policy checks that would make up a zero-trust system:

1.  Encryption in transit to ensure messages can't be eavesdropped
2.  Service level identity to enable authentication at runtime, ideally a cryptographic identity
3.  The ability to use those identities to be able to perform runtime service-service authorization to control which workloads can talk to each other
4.  Authenticating the end user in session
5.  A model that authorizes the actions users are taking on resources in the system

Butcher noted that while these are not new, there is now an effort to create an identity-based segmentation standard with the National Institute of Standards and Technology (NIST). "If you look at things like API gateways and ingress gateways, we do these checks usually," he said. "But we need to be doing them, not just at the front door, but every single hop in our infrastructure. Every single time anything is communicating, we need to be applying, at minimum, these five checks."

**NIST Standard Coming Up**

During a breakout session, Butcher and NIST computer scientist Ramaswamy "Mouli" Chandramouli explained the five controls and how they fit into a zero-trust architecture. Tools such as a service mesh can help implement many of those controls, Butcher said.

The presentation is an outline for a proposal that will be presented as NIST SP 800-207A: A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in Multi-Location Environments. "We expect to have this out for initial public review sometime in June," Butcher said.

Butcher said supply chain security is a critical component of a zero-trust architecture. "If we can't inventory and attest what's running in our infrastructure, we leave a gap for attackers to exploit," he said. "Zero trust as a philosophy is all about mitigating what an attacker can do if they are in the network. The goal is bounding their attack in space and time, and controlling the applications that execute in that infrastructure is a key element of bounding the space an attacker has to work with."

87% of Container Images in Production Have Critical or High-Severity Vulnerabilities

"Hundreds" of special education students' psych records have turned up on the Dark Web. School records like these are covered by FERPA, not HIPAA, so parents have little recourse.

On Feb. 22, the education news site The 74 Million revealed that the hacking group Vice Society had posted hundreds, if not thousands, of psychological evaluations of special education students in the Los Angeles Unified School District (LAUSD).

The leaked information reportedly includes personal information like names, diagnoses, family immigration status, and allegations of physical and sexual abuse.

Since The 74's story, the official @LASchools Twitter account has sent messages about Dream Act applications, Anti-Bullying Day, and Eva Longoria. The account of LAUSD Superintendent Alberto Carvalho has tweeted about school building improvements, Narcan, and a new Portuguese language center. The LAUSD website has not posted updates on the breach, first reported over Labor Day weekend in 2022, since Sept. 30.

Subsequent news stories refer to a written statement from IT infrastructure senior administrator Jack Kelanic, which was distributed upon individual request and not posted to the district site or Twitter. About Kelanic's statement, the Los Angeles Daily Mail wrote, "The 500 psychological evaluation forms analyzed by The 74 were primarily from former students born in the late 1980s and 1990s. Kelanic also said that 60 of the leaked student assessments were those of current students."

When a hospital system lets that kind of information go public, it faces fines and other repercussions under HIPAA. However, when a school leaks it, the breach is covered by the Family Educational Rights and Privacy Act (FERPA), meaning the responsibility to file complaints lies with individual parents.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Student Medical Records Exposed After LAUSD Breach

The number of people who have made the weaponized software available for sharing via torrent suggests that many unsuspecting victims may have downloaded the XMRig coin miner.

People using pirated versions of Apple's Final Cut Pro video editing software may have gotten more than they bargained for when they downloaded the software from the many illicit torrents through which it is available.

For the past several months at least, an unknown threat actor has used a pirated version of the macOS software to deliver the XMRig cryptocurrency mining tool on systems belonging to people who downloaded the app.

Researchers from Jamf who recently spotted the operation have been unable to determine how many users might have installed the weaponized software on their system and currently have XMRig running on them, but the level of sharing of the software suggests it could be hundreds.

**Potentially Wide Impact for XMRig**

Jaron Bradley, macOS detections expert at Jamf, says his company spotted over 400 seeders — or users who have the complete app — making it available via torrent to those who want it. The security vendor found that the individual who originally uploaded the weaponized version of Final Cut Pro for torrent sharing is someone with a multiyear track record of uploading pirated macOS software with the same cryptominer. Software in which the threat actor had previously sneaked the malware into includes pirated macOS versions of Logic Pro and Adobe Photoshop.

"Given the relatively high number of seeders and \[the fact\] that the malware author has been motivated enough to continuously update and upload the malware over the course of three and a half years, we suspect it has a fairly wide reach," Bradley says.

Jamf described the poisoned Final Cut Pro sample that it discovered as a new and improved version of previous samples of the malware, with obfuscation features that have made it almost invisible to malware scanners on VirusTotal. One key attribute of the malware is its use of the Invisible Internet Project (i2p) protocol for communication. I2p is a private network layer that offers users similar kind of anonymity as that offered by The Onion Router (Tor) network. All i2p traffic exists inside the network, meaning it does not touch the Internet directly.

"The malware author never reaches out to a website located anywhere except within the i2p network," Bradley says. "All attacker tooling is downloaded over the anonymous i2p network and mined currency is sent to the attackers' wallet over i2p as well."

With the pirated version of Final Cut Pro that Jamf discovered, the threat actor had modified the main binary so when a user double clicks the application bundle the main executable is a malware dropper. The dropper is responsible for carrying out all further malicious activity on the system including launching the cryptominer in the background and then displaying the pirated application to the user, Bradley says.

**Continuous Malware Evolution**

As noted, one of the most notable differences between the latest version of the malware and previous versions is its increased stealth — but this has been a pattern. 

The earliest version — bundled into pirated macOS software back in 2019 — was the least stealthy and mined cryptocurrency all the time whether the user was at the computer or not. This made it easy to spot. A later iteration of the malware got sneakier; it would only start mining cryptocurrency when the user opened a pirated software program. 

"This made it harder for users to detect the malware's activity, but it would keep mining until the user logged out or restarted the computer. Additionally, the authors started using a technique called base 64 encoding to hide suspicious strings of code associated with the malware, making it harder for antivirus programs to detect," Bradley says.

He tells Dark Reading that with the latest version, the malware changes the process name to look identical to system processes. "This makes it difficult for the user to distinguish the malware processes from native ones when viewing a process listing using a command-line tool.

One feature that has remained consistent through the different versions of the malware is its constant monitoring of the "Activity Monitor" application. Users can often open the app to troubleshoot problems with their computers and in doing so could end up detecting the malware. So, "once the malware detects that the user has opened the Activity Monitor, it immediately stops all its processes to avoid detection."

Instance of threat actors bundling malware into pirated macOS apps have been rare and far between. In fact, one of the last well-known instances of such an operation was in July 2020, when researchers at Malwarebytes discovered a pirated version of application firewall Little Snitch that contained a downloader for a macOS ransomware variant.

Pirated Final Cut Pro for macOS Offers Stealth Malware Delivery

**ARLINGTON, VA, USA, February 23, 2023 --** Today, AUVSI announced the launch of Green UAS, a new program to expand the number of commercial Uncrewed Aircraft Systems (UAS) that have been verified to meet the highest levels of cybersecurity and National Defense Authorization Act (NDAA) supply chain requirements. Green UAS mirrors the Defense Innovation Unit (DIU)’s Blue UAS certification program but is designed for customers who do not immediately require Department of Defense (DoD) authority to operate. Green UAS also offers a ​more streamlined ​pathway to the Blue UAS 2.0 cleared list. Green UAS is the next evolution of drone security certification for customers who are increasingly relying on commercial, off-the-shelf drones to conduct diverse operations. These users include federal government agencies, local law enforcement, first responders, and state departments of transportation; and industrial enterprise users such as energy and utilities, telecoms, manufacturing, food and agriculture, and logistics and mapping/surveying companies. DIU’s Blue UAS has successfully created a pathway for the DoD to purchase compliant commercial drone technology that meets the requirements Congress set forth in the 2020 NDAA; however, the program ​does not have the funding or mandate to ​scale to meet growing demand for non-DoD customers in government, civil and commercial sectors. “​Strengthening the​ domestic drone industry ​is critical in providing options for Government agencies to get the trusted UAS they need to meet their mission​— and industry organizations are well-suited to ​help the Government ​meet the need for a rapid, scalable solution,” said David Michelson, DIU Program Manager for Blue UAS. “We look forward to reviewing AUVSI’s certifications when drone companies that are Green UAS certified ​have a DoD sponsor that wants them​ to ​​​​convert ​to ​Blue UAS certification.”   
Green UAS is the first product of AUVSI’s broader Trusted Cyber Program, which AUVSI launched in August 2022 with collaboration from Fortress Information Security, a leading cybersecurity firm with experience in industry-led cyber standards development. AUVSI will work with a network of cybersecurity firms to rapidly vet drones that are seeking Green UAS certification. Elements that will be assessed include product and device security, corporate cyber hygiene, and for drones that are not seeking to go from Green to Blue, remote operations and connectivity.   
This launch also builds on the collaboration AUVSI announced with DIU in September 2022 to further commercial cyber methodologies to build a shared requirement. AUVSI’s unique position with commercial drone vendors and close coordination with DIU gives its Trusted Cyber Program the unique ability to meet growing demand for vetted drones and to standardize cybersecurity requirements.   
“AUVSI’s Green UAS is a solution to existing cybersecurity and supply chain verification challenges and will serve the UAS community, end-users, and federal partners,” said Michael Robbins, Chief Advocacy Officer at AUVSI. “This falls squarely in line with our mission to help drive a safe and secure UAS market demand and provide a more competitive marketplace for all.”   
Learn more at https://www.auvsi.org/green-uas. 

**About AUVSI**

The Association for Uncrewed Vehicle Systems International (AUVSI) — the world's largest non-profit organization dedicated to the advancement of uncrewed systems, autonomy and robotics — represents corporations and professionals from more than 60 countries involved in industry, government and academia. AUVSI members work in the defense, civil and commercial markets. For more information, visit AUVSI.org.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

AUVSI Launches Green UAS Cybersecurity Certification Program For Commercial Drones

A federal grand jury in the District of Oregon returned an indictment today charging four founders of Forsage, a purportedly decentralized finance (DeFi) cryptocurrency investment platform, for their roles in a global Ponzi and pyramid scheme that raised approximately $340 million from victim-investors.

According to court documents, Vladimir Okhotnikov, aka Lado; Olena Oblamska, aka Lola Ferrari; Mikhail Sergeev, aka Mike Mooney, aka Gleb, aka Gleb Million; and Sergey Maslakov, all Russian nationals, allegedly touted Forsage as a decentralized matrix project based on network marketing and “smart contracts,” which are self-executing contracts on the blockchain. As alleged in the indictment, the defendants aggressively promoted Forsage to the public through social media as a legitimate and lucrative business opportunity, but in reality, the defendants operated Forsage as a Ponzi and pyramid investment scheme that took in approximately $340 million from victim-investors around the world.

“Together with our partners, the department is committed to holding accountable fraudsters who cheat investors, including in the emerging DeFi space,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “Today’s indictment showcases the department’s ability to use all available investigative tools, including blockchain analysis, to uncover sophisticated frauds involving cryptocurrency and digital assets.”

According to court documents, the defendants allegedly coded and deployed smart contracts that systematized their combined Ponzi-pyramid scheme on the Ethereum (ETH), Binance Smart Chain, and Tron blockchains. Analysis of the computer code underlying Forsage’s smart contracts allegedly revealed that, consistent with a Ponzi scheme, as soon as an investor invested in Forsage by purchasing a “slot” in a Forsage smart contract, the smart contract automatically diverted the investor’s funds to other Forsage investors, such that earlier investors were paid with funds from later investors.

“Today’s indictment is the result of a rigorous investigation that spent months piecing together the systematic theft of hundreds of millions of dollars,” said U.S. Attorney Natalie Wight for the District of Oregon. “Bringing charges against foreign actors who used new technology to commit fraud in an emerging financial market is a complicated endeavor only possible with the full and complete coordination of multiple law enforcement agencies. It is a privilege to work alongside the agents involved in these complex cases.”

As further alleged in the indictment, the defendants falsely promoted Forsage to the public as a legitimate, low-risk, and lucrative investment opportunity through Forsage’s website and various social-media platforms. However, blockchain analytics confirmed that over 80% of Forsage investors received fewer ETH back than they had invested in Forsage’s Ethereum program, with over 50% of investors never receiving a single payout. Additionally, according to court documents, the defendants coded at least one of Forsage’s accounts (known as the “xGold” smart contract on the Ethereum blockchain) in a way that fraudulently siphoned investors’ funds out of the Forsage investment network and into cryptocurrency accounts under the founders’ control, which was contrary to representations made to Forsage investors that “100% of the \[Forsage\] income goes directly and transparently to the members of the project with zero risk.”

“While advancements in the virtual asset ecosystem bring new opportunities to investors, criminals are also finding new ways to orchestrate illicit schemes,” said Assistant Director Luis Quesada of the FBI’s Criminal Investigative Division. “The FBI remains committed to working alongside our domestic and international law enforcement partners to investigate and pursue subjects who orchestrate these scams and attempt to defraud investors.”

“Technology is always changing and scams and swindles evolve alongside it,” said Inspector in Charge Eric Shen of the U.S. Postal Inspection Service (USPIS), Criminal Investigations Group. “The U.S. Postal Inspection Service is committed to investigating those who engage in schemes involving cryptocurrency investment fraud, which can cause significant financial harm to unsuspecting victims. We urge individuals to be cautious when considering investments and to always do their due diligence before providing money or personal information to any individual or organization.”

“These individuals are alleged to have used trendy technology and opaque language to swindle investors out of their hard-earned cash,” said Special Agent in Charge Ivan J. Arvelo of Homeland Security Investigations (HSI) New York. “But, as the indictment alleges, all they were doing was running a classic Ponzi scheme. The technology may change, but the scams remain the same and with the collaboration amongst all our partners, we’re able to see through the phony promises and bring the schemes to light. HSI is committed to being at the forefront of financial investigations, using the full extent of our investigative capabilities to track down criminals no matter what new tricks they use.”

Okhotnikov, Oblamska, Sergeev, and Maslakov are each charged with conspiracy to commit wire fraud. If convicted, the defendants face a maximum penalty of 20 years in prison.

The FBI Portland Field Office, USPIS, and HSI New York’s El Dorado Task Force are investigating the case.

Trial Attorneys Sara Hallmark and Tian Huang of the Criminal Division’s Fraud Section and Assistant U.S. Attorneys Quinn Harrington and Meredith Bateman for the District of Oregon are prosecuting the case.

All investor victims of the Forsage scheme are encouraged to visit the webpage www.justice.gov/criminal-vns/case/united-states-v-vladimir-okhotnikov-et-al to identify themselves as potential victims and obtain more information on their rights as victims, including the ability to submit a victim impact statement.

_An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law._

Forsage Founders Indicted in $340M DeFi Crypto Scheme

The produce company said it suffered a ransomware attack earlier this month.

Dole Food Company earlier this month temporarily shut down its North American production plants and shipments to grocery stores in the wake of a ransomware attack.

"Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole's internal teams to remediate the issue and secure systems," the company said in a press statement.

Dole, which confirmed it is also working with law enforcement on the case, said the ransomware attack had "limited" affect on its operations.

Even so, CNN — which first broke the news of the attack — reported that some grocery shelves were left empty of Dole salad kits for a few days due to shipment issues tied to the cyberattack.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattack on Dole Causes Temporary Salad Shortage

Diverse ecosystem of global technology, finance, and university leaders join as first OpenWallet Foundation Members, many more expected.

**BRUSSELS and SAN FRANCISCO, February 23,  2023 --** Linux Foundation Europe, an independent trusted supporter and vendor-neutral home for open source projects in Europe, today announced the official formation of the OpenWallet Foundation (OWF). This new, collaborative effort will develop open source software to support interoperability for a wide range of wallet use cases, including making payments, proving identity, storing validated credentials such as employment, education, financial standing, and entitlements — to enable trust in the digital future. 

Inaugural Premier members sponsoring the OWF include Accenture, Gen, Futurewei and Visa. General members sponsoring the foundation include American Express, Deutsche Telekom / T-Systems, esatus AG, Fynbos, Hopae, IAMX, IDnow, IndyKite, Intesi Group, Ping Identity, SmartMedia Technologies (SMT), Spruce and Swisscom. 

Additionally, 20 leading nonprofits and academic and government entities have joined the foundation, including Customer Commons, Decentralized Identity Foundation (DIF), Digital Identification and Authentication Council of Canada (DIACC), Digital Dollar Project, Digital Identity New Zealand (DINZ), Digital Identity and Data Sovereignty Association (DIDAS), DizmeID Foundation (DIZME), Hyperledger Foundation, Information Technologies ics and Telematics Institute / Centre for Research and Technology Hellas (CERTH/ITI), Johannes Kepler University Linz, ID2020, IDunion SCE, Mifos Initiative, MIT Connection Science, Modular Open Source Identity Platform (MOSIP), OpenID Foundation, Open Identity Exchange (OIX), Secure Identity Alliance (SIA), Universitat Rovira i Virgili, and the Trust Over IP Foundation (ToIP).

The OWF will not publish a wallet itself, nor offer credentials or create new standards. Instead, its open source software engine aims to become the core that other organizations and companies leverage to develop their own digital wallets. The wallets will seek feature parity with the best available wallets and interoperability with major cross-border projects such as the EU’s Digital Identity Wallet.

"Wallets are critical infrastructure for payments, for identity, and for secure access. Open source  — driven by collaboration among for-profits large and small, non-profits, and government leaders — is a great role model for infrastructure that is vital for digital societies and benefits everyone," said Daniel Goldscheider, founder of the OpenWallet Foundation. "With open source at the core of wallets, like it is at the core of web browsers, anyone can build a digital wallet that works with others and gives consumers the freedom to maintain their identity and verifiable credentials and share relevant data when, where, and with whom they choose."

With such a consequential and diverse group of members, OWF underscores how important it is to have an open foundation to support a plurality of digital wallets to ensure consistency, interoperability, and portability while protecting consumer privacy.

"The world needs a place to store digital assets that matter, and the work of this foundation has the potential to redefine the credentials landscape globally, creating in turn much better digital experiences for people everywhere and new market opportunities," said Gabriele Columbro, general manager of Linux Foundation Europe. "The EU has been a leading force in data privacy and consumer protection, and efforts like OWF offer a concrete opportunity for policy makers to 'shift left' their engagement, enabling a continuous and transparent feedback cycle between regulations and regulated technology. That’s why we are honored to bring such a relevant group of cross-industry players together in OWF under Linux Foundation Europe."

The OWF is the second project hosted by Linux Foundation Europe. Project Sylva was added in November 2022 to create an open source telco cloud software framework. 

Launching in tandem with OWF is a new report, Why the World Needs an Open Source Digital Wallet Right Now, from the OWF in partnership with Linux Foundation Research. The report notes:

*   Digital wallets are the world’s leading payment method for e-commerce and  point-of-sale retail. In 2021, the value of digital wallet transactions came to $15.9 trillion. 
*   Hundreds of digital wallets exist, but suffer from a host of problems, including vendor lock in, no interoperability, questionable security, and limited capabilities.
*   New wallets are underway, too, but without them all staying in sync, every country or organization that issues credentials could become a walled garden. IDs and wallets from elsewhere won’t work, disrupting travel, international students, and mobile workforces. 
*   The future will include multiple wallets, which is why we need a world-class wallet engine to ensure that interoperability is built in.

Quotes from inaugural members are available here.

For more information about the project and how to participate in this work, please visit: openwallet.foundation.

Join Open Wallet Foundation members for a livestream and Q&A on February 23rd, at 5:00 pm CEST/11:00 am ET. Register here.

**About Linux Foundation Europe**

Linux Foundation Europe was launched in September 2022 to facilitate open collaborations originating in Europe that succeed on a global scale, supporting one of the largest and most influential open source ecosystems in the world. The Linux Foundation and Linux Foundation Europe together are supported by more than 3000 members internationally. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger Foundation, PyTorch, RISC-V, and more. Linux Foundation Europe methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.eu.

Linux Foundation Europe Announces Formation of OpenWallet Foundation

Through its Cybersecurity Assurance Program, UL Solutions is helping the automotive industry advance cybersecurity management systems for connected vehicle technologies.

**NORTHBROOK, Ill.****,** **Feb. 23, 2023** **/PRNewswire/ --** UL Solutions, a global leader in applied safety science, today announced it issued the first Cybersecurity Assurance Program Certificate for ISO/SAE 21434:2021, Road Vehicles — Cybersecurity Engineering to LG Innotek. The UL Solutions Cybersecurity Assurance Program (CAP) Certificate recognizes that LG Innotek's cybersecurity management system meets the requirements of the ISO/SAE 21434:2021 standard, which was introduced last year.

Cybersecurity is increasingly crucial for occupant protection as road vehicles become more connected and less isolated. Without a compliant cybersecurity management system, connectivity technology can leave road vehicles more vulnerable to automotive cybersecurity risks and ultimately affect the safety of the driver and passengers.

UL Solutions helps automotive original equipment manufacturers (OEMs) and suppliers assess cybersecurity risk throughout the complete product life cycle to help them identify problems earlier in the design phase before discovering issues in the final product.

"Cybersecurity risk management frameworks empower manufacturers to demonstrate that they prioritize cybersecurity and have mitigation measures in place in case of incidents or breaches," said Jody Nelson, managing director of Automotive Cybersecurity and Functional Safety at UL Solutions. "This proactive approach builds trust among buyers, which is fundamental to building valued brands. Congratulations to LG Innotek for achieving the first CAP certificate issued for the automotive industry. This milestone showcases LG Innotek's commitment to building a process that meets requirements set by current automotive cybersecurity standards."

The 2021 Global Automotive Consumer Study from Deloitte revealed that the majority of more than 24,000 consumers surveyed are concerned about someone hacking into their connected car systems and compromising their safety. Among consumers participating in the study, 66% in India, 64% in the United States and 58% in China indicated concerns regarding automotive cybersecurity risks.

Given the rapidly growing complexity of connected vehicles, it is increasingly challenging to eliminate cybersecurity risks. As a result, emerging regulations, such as ISO/SAE 21434:2021 and UN Regulation No. 155, Cybersecurity and Cybersecurity Management System, guide developing a risk management framework designed to assess risk early in the development phases, address cybersecurity challenges as they present themselves and track progress over time.

"Cybersecurity risk management proves critical to successfully delivering quality automotive components and connected vehicles in both commercial and passenger segments," Nelson said. "In today's world, security is intrinsic to quality. Our security experts offer a cross-functional technical experience to support the global automotive industry and suppliers such as LG Innotek in the shift toward connected vehicles."

ISO/SAE 21434:2021 specifies engineering requirements for cybersecurity risk management regarding the concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces. The standard defines a framework that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk.

**About UL Solutions**  
A global leader in applied safety science, UL Solutions transforms safety, security and sustainability challenges into opportunities for customers in more than 100 countries. UL Solutions delivers testing, inspection and certification services, together with software products and advisory offerings, that support our customers' product innovation and business growth. The UL Certification Marks serve as a recognized symbol of trust in our customers' products and reflect an unwavering commitment to advancing our safety mission. We help our customers innovate, launch new products and services, navigate global markets and complex supply chains, and grow sustainably and responsibly into the future. Our science is your advantage.

SOURCE UL Solutions

UL Solutions Issues Automotive Cybersecurity Assurance Program Certificate to LG Innotek

Generative AI is heating up everywhere and fundamentally changing everything we know about how cybercriminals develop and deploy attacks.

There has been a lot of talk about generative AI and chatbots like ChatGPT launching cyberattacks. What does that mean for the future of cybersecurity, and how can organizations prepare?

Threat actors are using ChatGPT to launch cyberattacks now. ChatGPT allows threat actors to increase the speed and variation of their attacks by modifying code in malware or creating thousands of variations of social engineering attacks to increase the probability of success. As machine learning technologies advance, so will the variety of ways this technology is used for malicious intent.

Generative AI is heating up everywhere and fundamentally changing everything we know about how cybercriminals develop and deploy attacks with increased speed and variations. The possible uses of AI for malicious intent are in their infancy. AI-powered technologies that leverage generative AI and diffusion models can modify the appearance of video and voice. They will most likely be used for cyberattacks, resulting in unfortunate consequences for organizations.

A race to develop new technologies leveraging AI is happening in voice (written and verbal), video, and more, as is evidenced by OpenAI's ChatGPT, Google's Bard, and Microsoft's AI-powered Bing. All are large language models that exponentially accelerate access to knowledge and rapidly generate new forms of content based on that contextualized knowledge. These tools rely on big data sets and the quality of those data sets.

While ChatGPT has the initial lead as the fastest-growing tool in history, don't bet against Google's ability to surpass ChatGPT in the future. It will certainly be a race, unlike anything we've seen before. As these new technologies become available, they will be used by organizations and cybercriminals, and both sides will use them to perpetrate and stop cybercrime. The abuse of AI is something we knew would happen for a long time, which is why SlashNext engineers have been developing natural-language generative AI technology for a few years in anticipation of these types of changes in the threat landscape.

**How Real the Generative AI Threat Is and How Organizations Can Prepare**

Generative AI, chatbots, and diffusion models are all developments in AI that present a real danger to users and businesses. Right now, ChatGPT, in particular, is a real enhancement to malware, business email compromise (BEC), and ransomware threat development. Cyberattacks are most dangerous when delivered with speed and frequency to targets.

With malware, ChatGPT enables cybercriminals to make infinite code variations to stay one step ahead of the malware detection engines. BEC attacks are target attempts to social engineer a victim into giving valuable financial information or data. These attacks require personalized messages to be successful. Now ChatGPT can create well-written, personal emails en masse with infinite variations. The speed and frequency of these attacks will increase and yield a higher success rate of user compromises and breaches. Legacy security technology doesn't stand a chance against these types of attacks. 

We must fight AI cyber threats with AI cybersecurity technology. When cybercriminals launch successful attacks, the results are massively disruptive to people, organizations, and the economy. The No. 1 cyber challenge that organizations face globally is human-focused attacks. Cybercriminals are increasing their attacks in LinkedIn, Microsoft Teams, Messenger, and Slack and taking advantage of the most vulnerable part of organizations: its people.

Many organizations are already using AI-based cybersecurity products to manage detection and response. AI technologies with generative AI will become essential technology to stop hackers and breaches. As new technology becomes available, hackers and cybersecurity vendors will use it to perpetrate and stop cybercrime. The abuse of AI is something we knew would happen for a long time, which is why SlashNext has been developing a natural-language generative AI technology for a year and a half in anticipation of these types of threats.

ChatGPT is not new, but OpenAI is the first to make an interface, so it's more accessible. ChatGPT is not the technology to fend off threats designed with ChatGPT. Still, generative AI technology, which makes ChatGPT possible, will be used to develop cyber defenses capable of stopping malware and BEC threats developed with ChatGPT. 

**About the Author**

    

Patrick Harr is the CEO of SlashNext, an integrated cloud messaging security company using patented HumanAI™ to stop BEC, smishing, account takeovers, scams, malware, and exploits in email, mobile, and Web messaging before they become a breach.

Source

DARKReading