Security vulnerabilities plague automakers, and as vehicles become more connected, a more proactive stance on cybersecurity will be required — alongside regulations.

A range of automakers from Acura to Toyota are plagued by security vulnerabilities within their vehicles that could allow hackers to access personally identifiable information (PII), lock owners out of their vehicles, and even take over functions like starting and stopping the vehicle's engine.

According to a team of seven security researchers, whose efforts were detailed on Web application security specialist Sam Curry's blog, vulnerabilities across automakers' internal applications and systems allowed them in a proof-of-concept hack to send commands using only the VIN (vehicle identification number), which can be seen through the windshield outside the car.

In all, the team uncovered serious security issues from automakers such as BMW, Ferrari, Ford, Volvo, and many others, across Europe, Asia, and the United States. It also found issues at suppliers and telematics companies including Spireon, which develops GPS-based vehicle tracking solutions.

A BMW Group spokesperson tells Dark Reading that IT and data security have the "highest priority" for the company and that it is continuously monitoring its system landscape for possible vulnerabilities or security threats.

The spokesperson adds that the vulnerability mentioned in the report has been known since beginning of November, and has been processed according to BMW's "security standard operating procedures," e.g., its bug-bounty program.

"The relevant addressed vulnerability issues were closed within 24 hours and we have no indication of any data leaks," the spokesperson says. "No vehicle-related IT systems were affected nor compromised. No BMW Group customers or employee accounts were compromised."

This is only the latest security concern to come to light. In March, telemetry from industrial systems security firm Dragos spotted Emotet command-and-control servers communicating with several automotive manufacturer systems. The malware is commonly used as an initial infection vector to drop ransomware.

In December, at least three mobile apps tailored to allow drivers to remotely start or unlock their vehicles were found to have security vulnerabilities that could allow unauthenticated malicious types to do the same from afar.

**Automakers Slow to Recognize Growing Threat**

Even though security vulnerabilities have been an issue in the industry for some time (going back to Charlie Miller and Chris Valasek's infamous 2015 Jeep hack detailed at Black Hat USA), automakers have been slow to recognize the potential severity of the developments, says Gartner automotive industry analyst Pedro Pacheco.

He explains that as automakers transition into becoming software developers, they are struggling to address all points of that development cycle — including security.

"One very simple notion is if you're not good in software, you're probably not going to be very good in making that software safe," he says. "That is guaranteed."

From his perspective, automakers are also too complacent when it comes to addressing and patching security vulnerabilities right away.

"Automakers look at this in a more reactive way than a proactive way, basically saying we'll address the small number of customers affected and solve the issue and then everything goes back to normal," he says. "That's the way of thinking for many carmakers."

As automakers develop more complex ecosystems that connect customers with application stores and connect them with their smartphones and other connected devices, the stakes are raised.

"This is the reason why cybersecurity is going to become more and more of a pressing issue," he says. "The more the vehicle takes over driving, then of course the more chances there are that this can be used against the customer and against the automaker. It hasn't happened yet, but it could very well happen in the future."

John Bambenek, principal threat hunter at Netenrich, adds another problem is that as technology evolves, car manufacturers implement it into their vehicles before the technology is truly vetted.

"Web apps have their own security concerns distinct from that path of communication," he explains. "I don’t have to own the entire communication stack. I just need to find a soft spot and researchers continue to find them. The reality is that it’s all put together with defective duct tape and bailing wire — it always has been."

He points out that the more things are put online, the more it gives opportunities for criminals.

"In this case, I’m less concerned about cybercriminals and more for stalkers and their ilk," he says. "This opens a new genre of digital harassment, which may be hard to track and harder to prosecute. That’s where I think the real risk is."

**Mandating Automotive Security Through Regulations**

Help is on the way, however. Pacheco points to the adoption of UN Regulation No. 155, focused on mandating standards for automotive cybersecurity, which went into power in July and will be enforced in Japan and South Korea — a total of 60 countries will ultimately enforce this regulation.

"This is a new dawn for cybersecurity in the automotive industry, because from this point on, cybersecurity in the vehicle becomes a legal requirement," he says. "This is the reason many automakers have already spent a considerable amount of money and time building up new cybersecurity management systems in accordance with this regulation."

He explains that under the regulation, every three years, the cybersecurity management system from the automaker from a particular vehicle will have to be audited by authorities to assess whether it complies to the regulation or not.

"Now we will start seeing a lot more things happening in cybersecurity than in the past, because until 2022 it was a bit more casual," he says.

He advises automakers not to wait to revise their security every three years but rather to incrementally update and improve their security software.

"They need to keep raising the bar in terms of the performance of their cybersecurity management system," Pacheco says. "This means adding the best cybersecurity technology in terms of hardware and software into the vehicle and running an advanced vehicle security operations center."

**Automakers Must Change Their Approach**

Pacheco explains that the industry is reaching a tipping point when it comes to cyber safety — but that improving automotive security will require a cultural shift.

"In the end, it always starts with a mindset, meaning when you have a certain threat, it must first be perceived as a threat," he says. "This is what they need to start by doing."

This could include actions as simple as running a competition amongst white hat hackers to search for any vulnerabilities they can find in this vehicle.

"Above all, automakers must be very open towards addressing \[these\] vulnerabilities and cybersecurity issues," Pacheco says. "Unfortunately, what happens is several automakers have a culture of hiding these issues."

He cautions the industry is approaching a point where automakers have less and less margin to maneuver to wait for the problems to happen.

"If they don't take considerable steps towards improving cybersecurity, it will hurt them a lot in the future," he says.

From Ferrari to Ford, Cybersecurity Bugs Plague Automotive Safety

It's imperative we collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis.

Many in our industry are weighing the benefits that software bills of materials (SBOMs) could possibly bring to software quality and security. I think SBOMs are needed to understand and assess risk in software because they should provide visibility into the software construction process for a given software system. At some level, SBOMs already exist for certain products and software systems; however, their application for evaluating quality and security as stipulated in Executive Order 14028, Improving the Nation's Cybersecurity and recent federal guidance by the US Office of Management and Budget, the National Institute of Standards and Technology, and the Cybersecurity Infrastructure and Security Agency is fairly new and unproven at scale.

**The Royce Bill That Never Passed****

Around 2013, SBOM legislation H.R.5793 – Cyber Supply Chain Management and Transparency Act (known as the Royce Bill) was introduced but never gained the momentum it needed to pass as a mandate, bill, or requirement. The industry did not then have the appetite for transparency to manage software supply chain risk.

The issues this legislation would have addressed are outlined in the Congressional Record – Extensions of Remarks. These issues have now been exacerbated given the overwhelming amount of complexity and growing size in modern software development, and the increasing rate of attacks against open source software. With the increasing consumption rate of open source software in modern software development, consumers must be aware of the technical debt in open source software projects that has accumulated over time to better manage software risk. The idea of more software complexity, larger software systems, and mounting technical debt does not bode well for the federal government's desire for software integrity and trustworthiness through the software supply chain.

The fact that the Royce Bill didn't pass can be seen as a missed opportunity to address the growing threats and risk in software security at the time. Almost a decade later, the industry is still struggling to figure out how to implement SBOMs and strike the right balance to make them useful and not a target for adversaries to exploit. This raises major concern in industry about whether SBOMs are ready for prime time given the skepticism regarding the current requirements outlined in federal guidance.

****SBOM Must Inform About Unknown Risk****

One of the challenges for SBOMs is advancing and understanding how risky software is determined. I use the term "risky" because all software has vulnerabilities, and the SBOM must be able to differentiate or provide context to the level of risk associated with a software component, whether in isolation or once it has been implemented and integrated into a software system. To simply say you can't use this software component because it has CVEs (common vulnerabilities and exposures) associated with it becomes moot because all software can have vulnerabilities. SBOMs must be able to succinctly qualify which CVEs are the most dangerous and exploitable given the context the software will be implemented and used — the component function (logging, encryption, access control, authorization), the environment, and whether it can be hardened to reduce a given attack surface. The way in which software components are integrated into a system matters because software components can be implemented poorly or incorrectly, exposing vulnerabilities in software systems.

Using CVEs to establish a security baseline for open source software consumption make sense; however, tallying a bunch of CVEs to determine what software is less risky or riskier only focuses on the "known knowns" (as shown in the figure below) and does very little to help organizations understand what weaknesses are lurking that may expose vulnerabilities and impact the overall hygiene of that software component (over a period of time). Furthermore, the current state of practice regarding SBOMs doesn't encourage software supply chainers to understand the defect proneness or attack proneness rates associated with software. This is important because some software components are highly targeted and require significant patching due to inherent technical debt, low code quality, and security issues that expose vulnerabilities. More patching means developers and engineering teams are spending less time on creating and delivering new features and functionality to customers.

Defect proneness refers to the likelihood that a software component will be defective after a software product is released. There are various socio-technical factors that contribute to defect proneness such as low code quality and design flaws. Attack proneness refers to the rate at which software components can be successfully exploited, or the likelihood that software components will contain exploitable weaknesses — bug, defect, or flaw — or vulnerabilities.

    

Source: Kevin Greene

SBOM solutions must give organizations visibility into potential risk for a given software component as shown in the figure above, helping organizations make informed decisions about which software components to use and which software components to avoid. For instance, advice in the National Security Agency (NSA) Cybersecurity Information Sheet encourages developers to avoid using software developed in C and C++ because those programming languages were not intended to enforce good memory management checks. It will be interesting to see how this advice will affect the software supply chain, mainly for embedded safety critical systems, and whether suppliers will turn to programming languages that are memory safe, such as Rust and Go.

****Go Deeper to Guide SBOM****

SBOMs are not going away, so it's imperative we all collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis and insight about the characteristics of software that help inform about software risk. This will help organizations effectively evaluate and attest to software integrity, as well as other software assurance properties. Ultimately, it's important for software supply chainers to understand not just the risk associated with a given software component but the potential maintenance associated with using that software component over a period of time, given the challenges in industry to remediate vulnerabilities in software in a timely fashion. The use of defect and attack proneness rates could provide actionable intelligence that helps lower the consumption of risky software with poor hygiene, and guide software supply chainers in building software systems that are more resilient to cyberattacks. 

In theory, software components with high defect and attack proneness rates should be avoided to help stimulate and encourage the use of alternatives with better hygiene. In my opinion, SBOMs don't improve code quality and security directly, but they can make software supply chainers more aware of risk in their software construction process. Improving code quality and security for open source software requires a culture shift given that having many eyes does not make all bugs shallow.

**

Don't Be Blindsided by Software Bills of Materials

The role of artificial intelligence in cybersecurity is growing. A new AI model highlights the opportunities and challenges.

_Artificial intelligence (AI) has the potential to revolutionize many aspects of our lives, including how we approach cybersecurity. However, it also presents new risks and challenges that need to be carefully managed._

_One way that AI can be used in cybersecurity is through the development of intelligent systems that can detect and respond to cyber threats._

This was the AI chatbot’s reply when I asked it to write about AI and cyber threats. I am sure by now you know I am talking about the most popular lad in town, ChatGPT.

In November 2022, OpenAI, an AI research and development company, introduced ChatGPT (Generative Pre-trained Transformer) based on a variation of its InstructGPT model, which is trained on a massive pool of data to answer queries. It interacts in a conversational way once given a detailed prompt, admits mistakes, and even rejects inappropriate requests. Though only available for beta testing right now, it has become extremely popular among the public. OpenAI plans to launch an advanced version, ChatGPT-4, in 2023.

ChatGPT is different from other AI models in the way it can write software in different languages, debug the code, explain a complex topic in multiple ways, prepare for an interview, or draft an essay. Similar to what one can do through Web searches to learn these topics, ChatGPT makes such tasks easier, even providing the final output.

The wave of AI tools and apps has been growing for some time. Before ChatGPT, we saw the Lensa AI app and Dall-E 2 making noise for digitally creating images from text. Though these apps have shown exceptional results that could be nice to use, the digital art community was not very happy that their work, which was used to train these models, is now being used against them as it raised major privacy and ethical concerns. Artists have found their work was used to train the model and now has been used by app users to create images without their consent.

**Pros and Cons**

As with any new technology, ChatGPT has its own benefits and challenges and will have a significant impact on the cybersecurity market.

AI is a promising technology to help develop advanced cybersecurity products. Many believe broader use of AI and machine learning are critical to identifying potential threats more quickly. ChatGPT could play a crucial role in detecting and responding to cyberattacks and improving communication within the organization during such times. It could also be used for bug bounty programs. But where there is the technology, they are cyber-risks, which must not be overlooked.

**Good or Bad Code**

ChatGPT will not write a malware code if asked to write one; it does have guardrails, such as security protocols to identify inappropriate requests.

But in the past few days, developers have tried various ways to bypass the protocols and succeeded to get the desired output. If a prompt is detailed enough to explain to the bot steps of writing the malware instead of a direct prompt, it will answer the prompt, effectively constructing malware on demand.

Considering there are already criminal groups offering malware-as-a-service, with the assistance of an AI program such as ChatGPT, it may soon become quicker and easier for attackers to launch cyberattacks with the help of AI-generated code. ChatGPT has given the power to even less experienced attackers to be able to write a more accurate malware code, which previously could only be done by experts.

**Business Email Compromise**

ChatGPT is excellent at replying to any content query, such as emails and essays. This is especially applicable when paired with an attack method called business email compromise, or BEC.

With BEC, attackers use a template to generate a deceptive email that tricks a recipient into providing the attacker with the information or asset they want.

Security tools are often employed to detect BEC attacks, but with the help of ChatGPT, attackers could potentially have unique content for each email generated for them with the help of AI, making these attacks harder to detect.

Similarly, writing phishing emails may become easier, without any of the typos or unique formats that today are often critical to differentiate these attacks from legitimate emails. The scary part is it’s possible can add as many variations to the prompt, such as "_making the email look urgent_," "_email with a high likelihood of recipients clicking on the link_," "_social engineering email requestion wire transfer_," and so on.

Below was my attempt to see how ChatGPT would reply to my prompt, and it returned results that were surprisingly good.

    

**Where Do We Go From Here?**

ChatGPT tool is transformational in many cybersecurity scenarios if put to good use.

From my experience researching with the tool and from what the public is posting online, ChatGPT is proving to be accurate with most detailed requests, but it still is not as accurate as a human. The more prompts used, the more the model trains itself.

It will be interesting to see what potential uses, positive and negative, come with ChatGPT. One thing is for sure: The industry cannot merely wait and watch if it creates a security problem. Threats from AI are not a new problem it has been around, it's just that now ChatGPT is showing distinct examples that look scary. We expect the security vendors will be more proactive to implement behavioral AI-based tools to detect these AI-generated attacks.

ChatGPT Artificial Intelligence: An Upcoming Cybersecurity Threat?

The hosting services provider shared new details on the breach that took down its Hosted Exchange Email service.

Rackspace has completed its forensic investigation into the Dec. 2 ransomware attack that took down its Hosted Exchange Email service and announced that it will discontinue that offering and transition it to cloud-based Microsoft 365.

The company said it has no plans to rebuild the hosted Exchange server environment, which has been down since the attack, and that it already had been on track to migrate to 365 before the ransomware incident.

Rackspace had decided not to apply Microsoft's ProxyNotShell patch to its Exchange Servers amid concerns over reports that the software update caused "authentication errors" that the company feared could take down its servers. Instead, it stuck with Microsoft's recommended mitigations for the vulnerabilities to thwart a ProxyNotShell attack.

That strategy fell apart, as the Play ransomware group was able to bypass Microsoft's mitigations with a new exploit abusing the CVE-2022-41080 vulnerability that breached Rackspace's Hosted Exchange systems. "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable," Rackspace noted in a post today.

**Play Stole Data from 27 Rackspace Customers**

According to the managed cloud hosting services company, the attackers grabbed the Personal Storage Tables (PSTs) of 27 of its around 30,000 Hosted Exchange customers, but there is no evidence the Play hackers ever viewed or distributed the pilfered information. "Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor," the company said.

"As a reminder, no other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident," Rackspace asserted.

Meanwhile, the email data recovery efforts remain underway for its Hosted Exchange customers. "As of today, more than half of impacted customers have some or all of their data available to them for download. However, less than 5% of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data," Rackspace said. The company also will offer an on-demand option for customers who want to download their data.

Rackspace said it's contacting customers for which it has recovered more than half of their mailboxes; their recovered data is available via its customer portal. "To check if your historical email data is available, please follow Step 2 on our Data Recovery Resources page (https://www.rackspace.com/hosted-exchange-incident-data-recovery-resources) and see if your mailbox is ready to download," the company said in its post, which provides additional resources as well.

Rackspace Sunsets Email Service Downed in Ransomware Attack

Encrypting data while in use, not just in transit and at rest, closes one more avenue of cyberattack.

Digital transformation initiatives, spurred by COVID-19, are helping companies scale new heights in efficiency and productivity. However, they have also highlighted to enterprise leaders the need for tighter cybersecurity measures — especially as attackers continue to ride the wave of new technologies to launch sophisticated attacks. The number of records exposed in data breaches consistently went up throughout 2022 — 3.33 million records in the first quarter of 2022, 5.54 million records in the second quarter, and 14.78 million records in the third quarter — according to data from Statista.

Organizations face various challenges as they grapple with managing and securing the explosion of data created, in part, by remote environments. This, coupled with the lack of visibility across dispersed networks and growing migration to the cloud, has increased the risk of attacks across multiple industries, including healthcare, financial services, and decentralized finance (DeFi).

Confidential computing segregates data and code from the host computer's system and makes it harder for unauthorized third parties to access the data. The way that confidential computing protects sensitive data could smooth the way for increased cloud adoption in highly regulated sectors such as finance and healthcare, according to Gartner.

As more organizations handle large volumes of data, ushering in a greater need for privacy and data security, confidential computing is poised to close that security gap by ensuring data remains confidential at all times — while at rest, in transit, and in use.

**A Different Approach to Cybersecurity**

Most encryption schemes focus on protecting while at rest, or while in transit. Confidential computing protects data while in use — by allowing data to remain encrypted even as it’s being processed and used in applications. The market for confidential computing is expected to grow up to $54 billion by 2026, according to a report by Everest Group.

"Everybody wants to continue to reduce the attack surface of data. Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level," said Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations, in a previous article on Dark Reading.

Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer, also noted in the article that confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models.

The hardware element of confidential computing makes it uniquely secure, says Jay Harel, VP of product at Opaque Systems. "A hacker must literally crack the CPU open and tap into the silicon die in order to steal any confidential data," Harel says. "Most data breaches happen remotely, over the Internet. Confidential computing requires physical access to the hardware, making a breach much less likely."

Cloud vendors Microsoft Azure and Google Cloud make confidential computing available through CPUs from Intel and AMD, while Amazon AWS uses its own Nitro technology. "I wouldn't say that the hardware is fully mainstream yet, as most compute resources offered by these vendors still don't have confidential computing capabilities," Harel notes.

As Noam Dror, senior vice president of solution engineering at Hub Security, puts it, "Today, when hackers get past standard security controls, they can access data in use which is totally exposed and unencrypted. Existing cybersecurity measures have a hard time dealing with these issues. This is where confidential computing comes in, providing comprehensive cyber protection across all levels. These most sensitive data must be protected leveraging confidential computing because the computing environment will always be vulnerable."

**Helps Industries Share Data Securely**

The confidential computing approach to cybersecurity offers several advantages, particularly in sectors where client or patient data is highly sensitive and regulated — like the healthcare sector, for example. In such sectors, confidential computing can enable secure multiparty training of AI for different purposes and ensure data privacy.

Cloud security company Fortanix says that financial services in particular should invest in confidential computing, for several reasons: it involves masses of personally identifiable information (PII), it is heavily regulated, its monetary value attracts attention from cyber criminals, and "it's an industry that hasn't figured out a secure way to share valuable data among each other that can be used to detect fraud or money laundering," a Fortanix spokesperson says. Fortanix adds it is also seeing interest in confidential computing from industries with similar characteristics, such as healthcare enterprises and government entities.

"Confidential computing reduces the trusted computing base to the minimum. It takes the trust away from configuration files, and secrets and passwords managed by humans, which can be error-prone. The trust circle is reduced to the CPU, and the application, and everything in between — the operating system, the network, the administrators, can be removed from that trust circle. Confidential computing gets closest to achieving zero trust when establishing communication between app-to-app or machine-to-machine," Fortanix says.

**Complete Control Over Data**

Today's protective solutions are insufficient and leave critical data exposed. Cloud providers AMD, Intel, Google Cloud, Microsoft Azure, Amazon Web Services, Red Hat, and IBM have already deployed confidential computing offerings. A growing number of cybersecurity companies, including Fortinet, Anjuna Security, Gradient Flow, and Hub Security, are also providing such solutions.

Harel says, "Confidential computing is a natural addition to their security arsenal, allowing them to evolve their breach defense and take it to the next level. It allows them to finally protect data in use, after spending decades and billions of dollars protecting data at rest and in transit."

Nataraj Nagaratnam, IBM distinguished engineer and CTO for cloud security, believes that confidential computing is a game-changer, especially because it gives customers complete control of their data. "Confidential computing primarily aims to provide greater assurance to companies that their data in the cloud is protected and confidential. It encourages companies to move more of their sensitive data and computing workloads to public cloud services," he notes.

How Confidential Computing Can Change Cybersecurity

A data dump of Twitter user details on an underground forum appears to stem from an API endpoint compromise and large-scale data scraping.

Data from 200 million Twitter users has been gathered and put up for free on an underground hacking forum, researchers are warning.

Public account details, including account name, handle, creation date, and follower count are all part of the 63GB worth of data uploaded to the Dark Web on Jan. 4, according to an investigation from Privacy Affairs. The cybercriminal responsible said the materials were collected via data scraping, which is a process of using automated scripts to lift public data from social media sites. However, the database also contains email addresses, the firm found — which aren't part of users' public profiles.

"The availability of the email addresses associated with the listed accounts could be used to determine the real-life identity or location of the affected account holders through social engineering attacks," said Miklos Zoltan, founder at Privacy Affairs, in a blog post. "The email addresses could also be used for spam or scam marketing campaigns and for sending personal threats to individual users."

While it's unclear how the email addresses were accessed, Zoltan noted that the "most likely method used could have been the abuse of an application programming interface (API) vulnerability." After all, at least one past Twitter data leak stemmed from the abuse of a Twitter API, resulting in the linking of phone numbers with Twitter handles. And in August, thousands of mobile apps were found to be leaking Twitter API keys.

Other researchers concur with Zoltan's assessment.

"API security is the real story here," Sammy Migues, principal scientist at Synopsys, said in an emailed statement. "As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices. Certainly, this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero trust architectures."

Twitter has so far been mum on the developments, and did not immediately respond to a request for comment from Dark Reading.

**Public Profile Data Scraping Represents Real Risk****

The 200 million Twitter records appear to be the same data set that appeared for sale for $200,000 in underground markets in December, Privacy Affairs added. At the time, there were 400 million profiles included, but the firm said this latest listing de-duped the database, resulting in a leaner data set with no repeats — and it's now being offered for free to anyone who wants to download it.

Aside from the cyber-danger involved in leaking emails associated with Twitter handles, even the publicly available data could be used for highly targeted attacks.

Specifically, it can be cross-referenced with other data that a user may have shared across platforms to create a 360-degree view of a person — their interests, their likes, the social circles they run in, and even corporate activity (remember, Twitter handles are often used on corporate sites in lieu of direct contact info — and can thus act as metatags that attackers can use to track the user's web presence, far outside of Twitter itself).

In this case, since so much data is collected in volume in a handy database, this process, and the attacks it can engender, can now be automated. This can be a real problem not just for social media users but the platforms themselves — both Facebook and LinkedIn have faced fines and general hot water for past data-scraping incidents. And, who can forget the former's Cambridge Analytica scandal, in which a mind-boggling number of public user profiles and posts were scraped and used to target political messaging to site users.

As far as how to protect oneself from any follow-on cyberattacks (or influence targeting), best practices still apply, according to Jamie Boote, associate software security consultant at Synopsys.

"As always, malicious actors have your email address," he said, via email. "To be safe, users should change their Twitter password and make sure it's not reused for other sites. And from now on, it's probably best to just delete any emails that look like they're from Twitter to avoid phishing scams."

There's also a cautionary tale to be had in terms of being careful with what one publicly shares on social media, to avoid making it easy for cyberattackers to build rich-data profiles.

And Privacy Affairs' Zoltan offered another lesson to be learned: "While not a very popular method at the moment, it would also be useful to use 'burner' email addresses or separate email addresses for online accounts while forwarding emails to a master address. This way, even if the email address associated with a Twitter or any other account is leaked, it can’t be associated with the end-user’s identity or other online services."

**

200M Twitter Profiles, with Email Addys, Dumped on Dark Web for Free

New platform features and integrations enable analysts to quickly detect and remediate threats.

**Broomfield, Colo. — January 05, 2023 —** LogRhythm, the company empowering security teams to navigate the ever-changing threat landscape with confidence, today announced a series of expanded capabilities and integrations for its security operations solutions. The updates propel LogRhythm’s ability to be a much-needed force multiplier for overwhelmed security teams who are expected to confidently, effectively, and efficiently defend against cyberattacks.  

Following the October launch of LogRhythm Axon, a groundbreaking, cloud-native security operations platform, the company is introducing new visualizations and powerful analytics that offer seamless visibility into potential security risks. Designed to streamline the experience of security analysts, Axon and its latest updates make it easier for teams to detect, investigate, and report on potential threats, reducing the burden of managing threats and the operating infrastructure.  

“On a daily basis, we strive to empower lean and overburdened security teams with the most intuitive experience and contextual analytics,” said Chris O’Malley, CEO of LogRhythm. “By continuously working to fulfill that mission and deliver innovation that matters to customers every quarter, we are delivering on our promise of helping customers quickly reduce noise and secure their environment so that they can concentrate on safely competing in the digital age where fast beats slow.”  

“Axon has already given our team the tools to effectively analyze our environment and improve our security posture,” said Eric L., Network Engineer at global manufacturing company. “Data collection and correlation to detect threats and respond can be time consuming. Axon gives us an intuitive interface to perform complex searches on data to filter in what really matters. We cannot wait to use the powerful analytics tools that will quickly surface threats.” 

This quarter’s enhancements span LogRhythm’s product portfolio to collectively enable SOC teams to detect and resolve threats more easily, improving analyst productivity and effectiveness. Additional enhancements and integrations with LogRhythm’s Axon, SIEM, NDR, and UEBA solutions released in this quarterly rollout include: 

LogRhythm Axon 

·New custom and out-of-the box analytics rules, including rules for MITRE ATT&CK detections 

·New markdown widget and histogram widget cuts down on time spent searching for data 

·Easily investigate log observations raised by analytics through the Observation Workflow 

LogRhythm SIEM 

·Improved administrative workflow for collection shortens time to configure, deploy, and manage log sources that require Open Collector 

·Enhanced audit logging makes it easier to monitor suspicious activity and track when users make important changes 

·Updated and expanded LogRhythm’s library of supported log sources 

LogRhythm UEBA 

·New detection models for Windows systems to quickly uncover hard to detect threats 

LogRhythm NDR 

·Improved blind spot detection and endpoint visibility through integration with Microsoft EDR  

·Easily ingest data from VirusTotal with new configuration page 

·Improved analyst experience with expanded UI improvements 

“This quarter, we are especially excited about the number of groundbreaking and enhanced capabilities coming to our market-leading solutions,” said Kish Dill, Chief Product and Customer Officer of LogRhythm. “These enhancements and integrations have been curated with the goal of simplifying the lives of security analysts and enabling them to detect threats faster through seamless visibility, enhanced collection, and an intuitive analyst experience.” 

To learn more about LogRhythm’s offerings, please visit: https://logrhythm.com. 

**About LogRhythm** 

LogRhythm helps busy and lean security operations teams save the day — day after day. There’s a lot riding on the shoulders of security professionals — the reputation and success of their company, the safety of citizens and organizations across the globe, the security of critical resources — the weight of protecting the world.   

LogRhythm helps lighten this load. The company is on the frontlines defending against many of the world’s most significant cyberattacks and empowers security teams to navigate an ever-changing threat landscape with confidence. As allies in the fight, LogRhythm combines a comprehensive and flexible security operations platform, technology partnerships, and advisory services to help SOC teams close the gaps. Together, LogRhythm and our customers are ready to defend. Learn more at logrhythm.com.

LogRhythm Enhances Security Analytics With Expanded Security Operations Capabilities

In a new survey from Clever, 3 out of 4 school districts say they will increase their spending on security and privacy in the next two to three years; 1 in 4 teachers report that cybersecurity training is missing in their district.

**SAN FRANCISCO****,** **Jan. 5, 2023** **/PRNewswire/ --** Clever, the platform used by more than 70% of U.S. K-12 schools to simplify and secure digital learning, today announced a new survey of school administrators and teachers revealing that the two groups perceive security vulnerabilities differently as the district edtech stack increases. According to the data, three out of four districts say they will increase their spending on security and privacy in the next two to three years. While more than half of administrators (63%) and teachers (53%) believe that their district is prepared to take on digital security challenges, one in four teachers report that cybersecurity training is missing altogether in their district.

Last year, over 90% of educators said they will continue to use at least some of the digital tools they adopted during the pandemic, as schools increasingly embrace devices and digital platforms to enable individualized instruction and student support. But with the expanded access to technology comes greater responsibility on schools and their edtech partners to protect the information these tools may collect. In 2021, nearly a million students were impacted by 67 ransomware attacks against schools, with a cost of over $3.5 billion in downtime.  

To help district and school leaders navigate new edtech practices in this era of increased usage, Clever surveyed almost 4,000 teachers and administrators. The data suggest that educators and administrators perceive the risks in schools differently: only 11% of teachers said a cybersecurity incident would be very likely, but one in four administrators say their district already experienced a hack, phishing incident, data breach, or other cyber attack in the past year.

"Creating a safe digital learning environment requires that everyone -- administrators, educators, students -- play a role," said Mohit Gupta, who oversees security products at Clever. "Cybersecurity is a team sport, and the differences highlighted in the survey offer us a path forward to address vulnerabilities in our schools. While the groups differ on where the risks exist, they agree on what can be done: more training for educators, the use of security tools, and increased specialized staff."

Among additional key findings from Clever's Cybersecure 2023 report:

*   **Teachers and administrators see devices as the greatest tech vulnerability in their district.** Teachers (34%) and administrators (34.3%) alike believe that devices are the most vulnerable part of their technology infrastructure. However, administrators are more aware of potential risks elsewhere as well: they're five times more concerned about vulnerabilities from administrative platforms like a learning management system or student information system, and nearly three times more concerned about vulnerabilities from applications used for curriculum and instruction.
*   **When it comes to identifying risks around human usage of technology, administrators think teachers are the most likely source of security vulnerability, but teachers think students are.** Teachers, responsible for their own safe use of technology and appropriate use by their students, see students (67%) as the biggest risk for a security incident, followed by teachers (27%). In contrast, two-thirds of administrators believe that teachers pose the highest vulnerability threat, and only 19% believe it to be students. Administrators were also three times more likely than teachers to say administrators are a vulnerability.
*   **Teachers and administrators agree on what can be done to improve digital security.** Both groups believe the three most important activities to support security are: 1) more educator training; 2) more or better technology solutions; and 3) more staff focused on technology. Two-thirds of teachers indicated they would want to learn more about topics related to data privacy and security.
*   **Yet, one in four teachers say cybersecurity training is missing altogether in their district.** While the majority of administrators and educators report that privacy and security training happens in their district, a surprising 26% of teachers say they never receive training on privacy or security – representing a big opportunity for districts to shore up their practices.
*   **Increasing challenges means increased spending.** 65% say their spending on digital security will increase over the next two to three years; another 12% say it will increase significantly, and a majority say that federal stimulus dollars are helping support their efforts.

The survey, administered throughout October 2022 using Clever's user database, asked more than 800 US-based school administrators and more than 3,000 US-based educators. To see the full findings and methodology, click here.

**About Clever**

Clever is on a mission to unlock new ways to learn for all students. More than 70% of U.S. K-12 schools now use Clever to simplify access and improve engagement with digital learning. With our free platform for schools and a network of leading application providers, we're committed to advancing educational equity. Clever, a Kahoot! company, has offices in San Francisco, CA and Durham, NC but you can visit us at clever.com anytime.

SOURCE Clever

New Survey: One In Four Schools Were Victims Of Cyber Attacks In the Last Year; Administrators To Increase Spending On Privacy and Security

Check Point Research (CPR) releases new data on 2022 cyberattack trends. The data is segmented by global volume, industry and geography. Global cyberattacks increased by 38% in 2022, compared to 2021. These cyberattack numbers were driven by smaller, more agile hacker and ransomware gangs, who focused on exploiting collaboration tools used in work-from-home environments, targeting of education institutions that shifted to e-learning post COVID-19. This increase in global cyberattacks also stems from hacker interest in healthcare organizations, which saw the largest increase in cyberattacks in 2022, when compared to all other industries. CPR warns that the maturity of AI technology, such as CHATGPT, can accelerate the number of cyberattacks in 2023. 

Check Point Research (CPR) has released new data on last year’s cyberattack trends. The data is segmented by global volume, industries, continents and countries.

**Key Statistics:** 

*   Global volume of cyberattacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organization
*   Top 3 most attacked industries in 2022 were Education/Research, Government and Healthcare
*   Geography of Africa experienced the highest volume of attacks with 1875 weekly attacks per organization, followed by APAC with 1691 weekly attacks per organization
*   North America (+52%), Latin America (+29%) and Europe (+26%) showed largest increases in cyberattacks in 2022, compared to 2021
*   USA saw a 57% increase in overall cyberattacks in 2022, UK saw a 77% increase and Singapore saw a 26% increase

Cyberattacks are increasing world-wide, with 38% more cyberattacks per week on corporate networks in 2022, compared to 2021. Several cyber threat trends are all happening at once.

For one, the ransomware ecosystem is continuing to evolve and grow with smaller, more agile criminal groups that form to evade law enforcement. Second, hackers are widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive with phishing exploits. These make for a rich source of sensitive data given that most organizations’ employees continue to work remotely.

Third, academic institutions have become a popular feeding ground for cybercriminals following the rapid digitization they undertook in response to the COVID-19 pandemic. In fact, the education/research sector was the number one most attacked industry globally, seeing a 43% increase in 2022 compared to 2021, with an average of 2,314 attacks per organisation every week. Many education institutions have been ill-prepared for the unexpected shift to online learning, creating ample opportunity for hackers to infiltrate networks through any means necessary. Schools and universities also have the unique challenge of dealing with children or young adults, many of which use their own devices, work from shared locations, and often connect to public WiFi without thinking of the security implications.

Looking back at cyberattacks for the healthcare sector in 2022, healthcare organizations in the US suffered an average of 1410 weekly cyberattacks per organization, which is 86% higher than the number we saw in 2021, with the healthcare sector ranking second out of all sectors for the most cyberattacks in the US.

Hackers like to target hospitals because they perceive them as short on cyber security resources with smaller hospitals particularly vulnerable, as they are underfunded and understaffed to handle a sophisticated cyberattack.

The healthcare sector is so lucrative to hackers as they aim to retrieve health insurance information, medical records numbers and, sometimes, even social security numbers with direct threats from ransomware gangs to patients, demanding payment under threats of having patient records released. Ransomware gangs also find the attention gained from attacking a hospital as an attractive plus-point for their notoriety.

Unfortunately, we expect the increase in cyberattack activity to only increase. With AI technologies such as ChatGPT readily available to the public, it is possible for hackers to generate malicious code and emails at a faster, more automated pace.

To protect yourself, it is imperative to think about prevention first, not detection. There are several best practices and actions an organization can take to minimize their exposure to the next attack or breach, such as cyber security training, keeping patches up-to-date and implementing anti-ransomware technology.”

**Cyber Safety Tips:** 

1.  **Cyber Awareness Training**: Frequent cybersecurity awareness training is crucial to protecting the organization against ransomware. This training should instruct employees to do the following:
    1.  Not click on malicious links
    2.  Never open unexpected or untrusted attachments
    3.  Avoid revealing personal or sensitive data to phishers
    4.  Verify software legitimacy before downloading it
    5.  Never plug an unknown USB into their computer
    6.  Use a VPN when connecting via untrusted or public Wi-Fi
2.  **Up-to-Date Patches:** Keeping computers and servers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
3.  **Keep your software updated.** Ransomware attackers sometimes find an entry point within your apps and software, noting vulnerabilities and capitalizing on them. Fortunately, some developers are actively searching for new vulnerabilities and patching them out. If you want to make use of these patches, you need to have a patch management strategy in place—and you need to make sure all your team members are constantly up to date with the latest versions.
4.  **Choose Prevention over detection:** Many claim that attacks will happen, and there is no way to avoid them, and therefore the only thing left to do is to invest in technologies that detect the attack once it has already breached the network and mitigate the damage as soon as possible. This is not true. Not only can attacks be blocked, but they can be prevented, including zero-day attacks and unknown malware. With the right technologies in place, most attacks, even the most advanced ones, can be prevented without disrupting the normal business flow.

Check Point Research Reports a 38% Increase In 2022 Global Cyberattacks

DevOps platform warns customers of a "security incident" under investigation.

DevOps platform CircleCI is warning users of its continuous integration and deployment (CI/CD) to "immediately" rotate all secrets — think passwords, API keys, SSH keys, configuration files, OAuth tokens, etc. — stored on the platform in the wake of a security incident under investigation at the company.

In a blog post this week, Ron Zuber, CTO of CircleCI, urged customers to first rotate all secrets stored "in project environment variables or in contexts" and then check internal logs for signs of "unauthorized access" from Dec. 21, 2022, and up to the date of rotation.

"Additionally, if your project uses Project API tokens, we have invalidated those and you will need to replace them. You can find more information on how to do that in our documentation here," Zuber said.

The company is continuing to investigate the security breach and plans to provide more details as they emerge. "At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well," Zuber wrote.

Meanwhile, CI/CD services have become a popular target of cryptominers for deploying code and setting up cloud-based mining platforms, a recent report from Sysdig found.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading