**January 25, 2023 - California, US;** In 2023 there will be a global increase in data privacy regulation enforcement, new regulations in the United States leading to further fragmentation, investment in privacy-enhancing technologies, and hopes for agreement on a data transfer mechanism between the EU and US, among other developments. In light of Data Privacy Day 2023, data privacy technology Privado is today announcing **Data Privacy All-Stars** and **Rising Stars**, recognizing the efforts of these individuals within their industry as they share their insights on the challenges that lie ahead in 2023. 

Privado received over 2,000 nominations for its inaugural Data Privacy Stars listing. The list recognizes All-Star and Rising Star recipients for the exceptional work done by individuals who are taking privacy and security to the next level within their organization and beyond by spreading awareness of data privacy across the world. 

The **All-Stars 2023** list celebrates those who have considerable data privacy related achievements to show over the years. The **Rising Stars 2023** list commends those who are passionately driving data privacy initiatives.

Data Privacy Stars shared their insights, tips and predictions for 2023. 

2023 top data privacy challenges: 

*   More fines and enforcement that holds leadership (CEOs, CISOs) accountable. 
*   New regulations leading to more complexity and fragmentation.
*   Focus on protecting children and healthcare data including more direct guidance from the FTC and the HSS.
*   AI will bring new risks we haven’t seen before as it finds and exploits loopholes.
*   Skepticism on an agreement for a data transfer mechanism between EU and US.
*   User demand for more visibility and controls over consent.

2023 data privacy top tips: 

*   Data mapping as the undisputed foundation of any privacy program. 
*   Make privacy second nature by embedding privacy processes into stakeholder teams’ existing processes.
*   Implement Privacy by Design practices.
*   Having leadership acknowledge and champion how important data privacy is to make a difference.
*   Rightsizing privacy strategy for the current stage of your organization.
*   Step away from making privacy a policing role. Engage developer teams by bringing empathy, some social intelligence but most of all understanding business needs.
*   Proactive scanning capabilities and data lineage capabilities will be important. 

January 28, 2023 marks Data Privacy Day, an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. Initiated in 2007 by the Council of Europe and adopted in 2009 by the United States, Data Privacy Day is now observed by over 50 countries around the world.

**Vaibhav Antil, CEO of Privado** commented: "Ahead of Data Privacy Day, we wanted to recognize individuals doing exceptional and innovative privacy work within their organizations. We want to highlight their accomplishments and share their insights with peers across the world."

"Data Privacy Day gives us all an opportunity to take a second and think about what we share about ourselves, when and where we share it, and who we are sharing it with. Organizations are taking the challenge of safeguarding our data head-on while continuing to deliver value to consumers, and so today is also a good opportunity to raise awareness of the magnitude this effort represents for every company and how every individual must be solving for privacy."

Founded in 2020, Privado was created to address the privacy issues facing businesses around the world. Privado offers open-source and enterprise code scanning solutions purpose-built for privacy that identifies data usage, discovers data flows & flags privacy issues like excessive user permissions or data leakages to logs.

**About Privado**

Privado is the privacy code scanner for privacy & security teams who want unparalleled visibility into data flows from applications & helps developers fix privacy vulnerabilities like personal data leakages to logs or third parties. Founded in 2020, Privado has enabled Headspace, Zego, Thrasio, TrendyOl & many more enterprises to embed privacy checks in their Software Development Life Cycle. For more information please visit https://www.privado.ai/ or follow via Twitter and LinkedIn.

Data Privacy Day: Privado Flags Data Privacy Challenges In 2023 As It Hails Industry Stars

Two common attacks against on-premises Kerberos authentication servers — known as Pass the Ticket and Silver Ticket — can be used against Microsoft's Azure AD Kerberos, a security firms says.

Microsoft's Azure AD Kerberos service, a cloud-based identity and access management (IAM) service based on Kerberos authentication, can be attacked using techniques similar to those used by attackers against on-premises Kerberos servers.

Kerberos is a widely used protocol used to authenticate users and devices via symmetric key cryptography and a key distribution center; it enables modern authentication mechanisms such as single sign-on (SSO). Because Kerberos authentication is a standard security measure for many enterprises, attackers have frequently tried to compromise or bypass the authentication servers using identity attacks that spoof legitimate users.

In the on-premises world, a pair of common identity attacks are the Pass the Ticket and Silver Ticket approaches, which allow an attacker to use stolen credentials or mint their own credentials, respectively, and authenticate with enterprise services. Both techniques continue to work to some degree against the cloud versions of Kerberos authentication servers, according to cybersecurity services firm Silverfort, which dubbed the cloud-based iterations of the attacks the Bounce the Ticket and Silver Iodide threats.

"Identity attacks that have existed for some time are still a risk as organizations move into the cloud," says Dor Segal, senior security researcher at the firm. "Azure AD Kerberos is a new implementation but not a new protocol. Security teams need to be aware of this fact and put appropriate mitigations in place."

The fact that variants of the two attacks still work in the cloud show that moving security infrastructure to the cloud has little impact on the threat, Segal says.

"The issues outlined could impact anyone using the new Azure AD Kerberos protocol," he says. "While Azure AD Kerberos is still in initial stages of adoption, as with anything released by Microsoft, the scale of usage will increase. In the past, this type of lateral movement was an issue affecting the on-premises enterprise network. These \[new\] attacks break this perimeter."

Microsoft added Kerberos functionality to its Azure Active Directory service last August, and attackers are sure to follow, Silverfort argued in a research report issued Jan. 25. After all, IAM systems have become linchpins for many companies' zero-trust security efforts, with Microsoft Active Directory, for example, a target of attacks in nine out of 10 incidents. In addition, Kerberos is a frequent target of attackers, who often go after "tickets" — i.e., encrypted authentication credentials or tokens, used by the Kerberos protocol as proof that a client or device has authenticated to the server. 

A successful attempt to duplicate a ticket gains attackers access to protected resources for a limited time, generally on the order of hours, allowing them to move around a corporate network or use SSO services like email that might be protected by the Kerberos credential.

**Bouncing & Silver Tickets**

In the first attack, dubbed a Bounce the Ticket attack, an attacker who has compromised one user's system and who steals a Kerberos ticket from the machine's memory can then then use the secret key to gain access to cloud workloads. This attack bears similarities to the on-premises Pass the Ticket attack on Kerberos authentication services and gives the attack the ability to "access cloud-based resources that rely on Azure AD Kerberos," according to Silverfort's research.   

    

The Bounce the Ticket attack flow. Source: Silverfort

In the second attack, dubbed a Silver Iodide attack, an attacker who gains access to one user's Azure AD account can connect to a specific service — in the example given by Silverfort, the Azure Files cloud sharing service — after finding a "security gap" in the service. The security weakness, which Silverfort did not describe, can be used to create a new server ticket to access or manipulate information. The technique, which resembles the Silver Ticket attack against on-premises Kerberos servers, could be used against other cloud services as well, as long as attackers can find ways around specific controls, Silverfort stated. 

**No Fix Ahead**

Overall, the two issues represent ways an attacker — who has compromised either a system on the network or an Azure AD account — could recover Kerberos tickets and reuse those secrets to extend access to other infrastructure. 

Silverfort disclosed the issues to Microsoft, and while the company is aware of the weaknesses, it does not plan to fix them, because they are not "traditional" vulnerabilities, Segal says. Microsoft also confirmed that the company does not consider them vulnerabilities. 

"This technique is not a vulnerability, and to be used successfully a potential attacker would need elevated or administrative rights that grant access to the storage account data," a Microsoft spokesperson tells Dark Reading. "We recommend customers regularly review their role definitions that include 'listkeys' permissions, and enable software that prevents attackers from stealing credentials, such as Credential Guard."  

Silverfort's Segal acknowledges that to fix the issues, the Kerberos protocol would have to be redesigned, and that is unlikely.

"Fixing a weakness in any implementation of Kerberos is not as straightforward as patching a traditional software vulnerability because it would require re-engineering the entire protocol," he says. "This would be a significant undertaking which would take a large amount of resource and impact the compatibility of legacy applications using Kerberos."

Companies can make it harder to exploit any security weakness in their cloud-based Kerberos infrastructure, however. Organizations should review any changes to the Azure Access Control service and monitor updates to the permissions. Reducing the number of systems authorized to hold some of the more critical cloud-based credentials — such as the Ticket-Granting Ticket (TGT) — will harden an enterprise's infrastructure to Bounce the Ticket attacks, Silverfort stated in its report.

Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts

Zacks Elite sign-ups for the period 1999–2005 were accessed, including name, address, email address, phone number, and the password associated with Zacks.com.

An older database of Zacks Market Research was accessed by an unauthorized party, compromising the personal data associated with 820,0000 users' Zacks.com accounts.

The company, which offers financial markets research, disclosed the breach as required to the Maine attorney general, and reported that the cyberattack occurred sometime between November 2021 and last August. Specifically, the records of Zacks Elite product customers who signed up between 1999 and 2005 were accessed, the company explained in a letter notifying those impacted users.

"Also, while Zacks is constantly monitoring and updating our system to safeguard customer information, including in consultation with our outside cybersecurity expert, as a result of this incident, we are conducting an investigation and continuing our ongoing efforts to evaluate and implement additional measures to further enhance our protocols for the protection of your personal information," the company said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Zacks Investment Research Hack Exposes Data for 820K Customers

In the Play Store's ToS, a paragraph says Google may remove "harmful" applications from users' devices. Is that a step too far?

Privacy has become more than a key component of corporate cybersecurity policies and procedures — it also is a lightning rod for lawsuits by consumers who believe their rights have been violated. While privacy laws have become commonplace, periodically what might seem to be relatively common language from contracts turn out to be problematic for the vendors.

Google, for example, has a long history of searching the Play Store, its apps repository, for programs that contain malware. Less than a year ago, Google removed multiple apps from the Play Store that had the banking Trojan SharkBot hidden inside.

However, while removing troublesome apps from the Play Store would seem prudent, Google takes this one step further into a legal gray area.

In Google's Play Store Terms of Service (ToS), Google notes that it scans for malware and reserves the right to remove it from a user's computer if it deems it necessary. Google's ToS reads:

**Malware protection.** To protect you against malicious third party software, URLs, and other security issues, Google may receive information about your Device's network connections, potentially harmful URLs, the operating system, and apps installed on your Device through Google Play or from other sources. Google may warn you if it considers an app or URL to be unsafe, or Google may remove or block its installation on your Device if it is known to be harmful to devices, data or users. You can choose to disable some of these protections in the settings on your Device, however, Google may continue to receive information about apps installed through Google Play, and apps installed on your Device from other sources may continue to be analyzed for security issues without sending information to Google.

This 130-word paragraph in the 3,537-word document is raising eyebrows among some privacy experts. Debbie Reynolds, CEO of data privacy consultancy Debbie Reynolds Consulting, says Google's ToS differs widely from those of other companies, in part because Google offers a variety of interconnected services that operate within the Google ecosystem.

Google's ToS is ambiguous, she says, because it is not clear about exactly what it might block or remove that is "known to be harmful to the device, data or users." The ToS also does not commit Google to tell users when it makes such a deletion.

A user might have a reason to want a program on their system that Google considers harmful, determining the risk is within their risk tolerance range. If Google deletes that without informing the user, it could have unexpected consequences.

"It is likely that Google's ambiguous stance on informing users about actions taken on their devices will face legal challenges in the future, particularly if a significant number of individuals voice complaints about Google's lack of transparency and perceived harm caused by their actions," Reynolds says.

**Deleting Apps, Not Data**

However, Rebecca Herold, CEO of consulting firm Rebecca Herold & Associates and popularly known as The Privacy Professor, says, "I do not see that they are claiming a right to delete or modify data. They are reserving the right to delete an app, which is software, if it is harmful to data, users or devices."

She clarifies that there's a difference between applications and user data. "An app is not data in the context of how this is written," Herold says. "I do not see anything within the paragraph you provided that they are going to delete data. It is possible that deleting the app will remove access from that device to the associated data, but the data would still likely exist somewhere else."

"I think the open-ended way they have worded this, giving users the ability to disable 'some' of these protections, without saying specific which protections, does not make it clear whether or not they are overstepping their legal rights," Herold notes.

"\[Google\] does not indicate they are deleting or changing data," she says. "It indicates they may uninstall an app they determine to be harmful, and/or block a website they determine to be harmful, which could remove access to the data. So, they have established their own legal requirements and limits for the boundaries of their actions."

**How Much Access Should Google Have?**

Irina Tsukerman, an attorney whose firm specializes in national security, cyber law, and emerging threats, says, "Adhesion contracts, which are one-sided and non-negotiable, are considered legal; however, if any specific clauses represent a significant burden on the consumer/client's rights, it may be deemed disputable/unenforceable, and the company may be forced by courts to change the language. In this case, the clause is far beyond the mere 'warning' or even 'blocking' language fairly typical to tech companies, because it involves the additional step of actively intervening and entering a user's system."

This intervention step is "extremely questionable in itself, because Google arguably does not have the right to access the user's entire system," she adds. Removing a program could impact other parts of the system.

Anytime such language is overbroad, it is very likely to be found illegal and violating the other party's — in this case, the user's — rights. Tsukerman says that in this case, the language is "extremely problematic due to excessive vagueness."

Google Pushes Privacy to the Limit in Updated Terms of Service

**NEW YORK****,** **Jan. 25, 2023** **/PRNewswire/ --** At least 344 organizations in the healthcare industry suffered data breaches in 2022, according to a just-released report from the Identity Theft Research Center® (ITRC). This is the third year in a row that healthcare organizations led all industries in the number of data compromises.

Healthcare organizations represented 19 percent of the 1,802 breaches reported in the 2022 ITRC report, with Financial Services (268), Manufacturing and Utilities (249), and Professional Services (224) following behind. In 2021, 15 percent of the breaches tracked by ITRC affected healthcare companies.

Cyberattacks continued to be criminals' weapons of choice, with 1,595 breaches in 2022, a slight decrease from 1,613 in 2021 with drops year-over-year in the number of breaches attributed to phishing, ransomware, and malware.

Supply chain attacks outstripped malware attacks in 2022, with 115 instances affecting 1,743 organizations and at least 10 million people. Healthcare organizations were hit particularly hard by supply chain attacks as eight of the 12 supply chain breaches cited in the report affected business associates of healthcare organizations or health insurance companies.

The breaches listed below reinforce the importance of having well-crafted business associate agreements with vendors to limit liability and maintain HIPAA compliance.

*   Shields Health Care Group, Inc.: 56 Entities; 1,804,069 Victims
*   Eye Care Leaders: 37 Entities; 3,372,880 Victims
*   Practice Resources, LLC: 28 Entities; 942,138 Victims
*   MCG Health, LLC: 10 Entities; 793,283 Victims
*   Comstar, LLC: 2 Entities; 585,621 Victims
*   Adaptive Health Integrations: 1 Entity; 510,574 Victims
*   Connexin Software, Inc.: 1 Entity; 2,216,365 Victims

"Breaches like the ones affecting the business associates listed above illustrate why HIPAA Compliance must be the foundation upon which you build your privacy and security strategy," said Marc Haskelson, the CEO of Compliancy Group, the leading provider of automated HIPAA compliance solutions for healthcare organizations. "It is impossible to prevent every data breach, especially when it happens outside of your organization, but HIPAA compliance can limit your liability and expose potential problems with suppliers through the due diligence that takes place while forging a business associate agreement.

**About Compliancy Group**

Compliancy Group gives healthcare professionals confidence in their compliance plan, increasing client loyalty, and profitability of their business while reducing risk. Their simplified software solution, and Compliance Coach® guidance, help organizations achieve HIPAA compliance with ease. Get compliant today!

SOURCE Compliancy Group

Healthcare Remains Top Target in 2022 ITRC Breach Report

New Cyberseek™ data shows US is short nearly 530,000 skilled cybersecurity staff.

**BOSTON****,** **Jan. 25, 2023** **/PRNewswire/ --** Despite recent high-profile tech industry layoffs, demand for cybersecurity professionals remains high, according to the latest data from CyberSeek™.

According to new data from the cybersecurity workforce analytics site developed in partnership by the National Initiative for Cybersecurity Education at NIST, CompTIA and Lightcast, the total number of employed cybersecurity workers held fairly steady in 2022 at around 1.1 million, while the number of online job postings edged down to 755,743 from 769,736 in the 12-month period ending in December 2022.

"Despite concerns about a slowing economy, demand for cybersecurity workers remains historically high. Companies know cybercrime won't pause for a market downturn, so employers can't afford to pause their cybersecurity hiring," said Lightcast Vice President of Applied Research-Talent Will Markow.

According to Lightcast data, each of the first nine months of 2022 set records for the highest monthly cybersecurity demand since 2012 but cooled in November and December.

A key indicator is the ratio of currently employed cybersecurity workers to new openings, which gives an indication of how big the worker shortfall is. The supply-demand ratio is currently 68 workers per 100 job openings, edging up from the previous period's ratio of 65 workers per 100 openings. Based on these numbers, we need nearly 530,000 more cybersecurity workers in the US in order to close current supply gaps.

Between 2021 and 2022, public sector cybersecurity demand grew 25 percent to 45,708 postings, while private sector demand grew at a rate of 21 percent to 710,035 job listings. Lightcast data shows an even larger disparity between growth rates when comparing the growth since 2019. In the past three years, private sector cybersecurity demand has grown 36 percent, while public sector demand grew 58 percent.

The Washington DC metro area alone accounted for 19 percent (8,686) of all public sector domestic cybersecurity demand in 2022. It's expected that the DC metro area will need 52,634 new cybersecurity workers to close current supply gaps.

"A useful feature of CyberSeek is the differentiation between public sector data for federal and state governments and private sector data that is further segmented by sectors of the economy," said Rodney Petersen, Director of the National Initiative of Cybersecurity Education (NICE). "The methodology for identifying job openings and the employed cybersecurity workforce in the public sector utilizes the NICE Workforce Framework for Cybersecurity and is consistent with the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015 that directs federal agencies to identify positions that require the performance of information technology, cybersecurity, or cyber-related functions."

"Each new disclosure of a data breach amplifies the critical need for more cybersecurity professionals," said Nancy Hammervik, Chief Solutions Officer at CompTIA. "The variety and volume of cybersecurity career opportunities available across the country are illustrated clearly and comprehensively on CyberSeek. Whether you are an experienced cyber pro interested in new challenges, or someone intent on starting a career in cybersecurity, CyberSeek provides detailed information about career pathways, salaries, credentials, and skill sets associated with specific job roles."

Details on the new CyberSeek data were presented and discussed this week at the NIST webinar "Providing Timely and Clear Data to Support Federal Cybersecurity Workforce Needs."

Despite Slowing Economy, Demand for Cybersecurity Workers Remains Strong

**DOWNERS GROVE, Ill.****,** **Jan. 25, 2023** **/PRNewswire/ --** Organizations must adopt a multi-pronged approach involving new strategies and tactics to address the growing global shortage of cybersecurity professionals, according to CompTIA, the nonprofit association for the information technology (IT) industry and workforce.

The world's cyber workforce was among the issues discussed during the recent Cyber Future Dialogue 2023 in Davos, Switzerland. Gordon Pelosse, senior vice president, employer engagement, CompTIA, was among the dozens of executives participating in the conference.

"The cybersecurity workforce problem is real and is being felt globally," Pelosse said. "Every company is scrambling for talent, knowledge and solutions in an ever-evolving environment."

"The discussion on the cyber workforce elicited a wide range of views; from there is nothing that can be done to leave it to technology to solve," Pelosse continued. "This view is wishful thinking, hoping we can one day automate our way out of this talent shortage. Automation holds promise, but requires human reasoning, strategic decision-making, design, support, and intervention to remediate many of the evolving attacks we see today."

Creating a multi-faceted approach to building or expanding a cybersecurity workforce requires organizations to meld current practices with new thinking. The most expedient solution is to look at the tech talent that they already employ.

"If you have skilled and experienced network administrators and engineers, systems administrators or others that understand the fundamentals of IT and networking, upskilling these individuals into cybersecurity roles may be the best immediate solution to fill these positions," Pelosse said.

Employers must also expand the pool of candidates they are willing to recruit from. While college is an excellent choice for many people, it is not for everyone.

"Boot camps, technical training classes, self-paced study, industry certifications and other methods can produce excellent candidates for cybersecurity roles and other technology positions without the need for an advanced academic degree," Pelosse noted.

CompTIA's latest "State of Cybersecurity" report found that the general state of cybersecurity is making relatively slow progress. Especially in more developed regions, few individuals believe that there is dramatic improvement being made. In most cases, nearly the same percentage of people believe that the situation is getting worse. Nearly everyone feels that there is room for improvement."

A high degree of cooperation among employers, industries, education and training organizations and others is needed to address these challenges.

"With its global presence and history of facilitating collaborative solutions to common problems, CompTIA is uniquely positioned to address cybersecurity workforce challenges," Pelosse concluded.

CompTIA offers many resources to support its commitment to building a robust cybersecurity workforce around the world to help organizations strengthen their cyber defenses, including training programs and certifications for cybersecurity professionals, career insights, best practices and guides, research,  and the CompTIA Cybersecurity Trustmark, an organizational credential for the managed service provider (MSP) community.

**About CompTIA** 

The Computing Technology Industry Association (CompTIA) is a leading voice and advocate for the $5 trillion global information technology ecosystem; and the estimated 75 million industry and tech professionals who design, implement, manage, and safeguard the technology that powers the world's economy. Through education, training, certifications, advocacy, philanthropy, and market research, CompTIA is the hub for unlocking the potential of the tech industry and its workforce. https://www.comptia.org/

Davos Debrief: Critical Shortage of Cybersecurity Talent Requires Action on Several Fronts, CompTIA Executive Says

The security vulnerability allows attackers to spoof a target certificate and masquerade as any website, among other things.

Researchers have developed a proof-of-concept (PoC) exploit for a public x.509 certificate-spoofing vulnerability in the Windows CryptoAPI that the NSA and the National Cyber Security Center (NCSC) reported to Microsoft last year.

Microsoft quietly patched the bug, tracked as CVE-2022-34689, in its August 2022 monthly Patch Tuesday security update, but only publicly disclosed it in October. At the time, it assessed the vulnerability as one that attackers were more likely to exploit. But it offered scant details on the bug or how an attacker might exploit it.

"When the patch was released, this bug was missing from \[Microsoft's\] release notes," says Yoni Rozenshein, security researcher at Akamai. "It was announced retroactively two months later, in October, and there seems to be no information available that describes the vulnerability and how it's exploited."

**Proof-of-Concept Attack for CVE-2022-34689**

Researchers at Akamai who have been analyzing the vulnerability for the past several months this week released details of an attack they developed for it, which they said would allow attackers to spoof the target certificate and masquerade as any website, with the ability to take a variety of malicious actions.  
"The vulnerable browser would show the green lock icon indicating a secure connection even though the connection is completely controlled by the attacker," Rozenshein says. He described Akamai's PoC for it as the first for the bug.

CryptoAPI is a Windows application programming interface that developers use to enable support for cryptography for their applications. One of CryptoAPI's roles is to verify the authenticity of digital certificates. And it is in this function where the vulnerability exists, Rozenshein says.

To verify the authenticity of a certificate, CryptoAPI first checks to see if it already exists in the receiving application's certificate cache. If it does, CryptoAPI treats the received certificate as verified. Prior to Microsoft's patch for it, CryptoAPI determined whether a received certificate was already in the certificate cache or not merely by comparing MD5 hash thumbprints. If the received certificate's MD5 thumbprint matched the MD5 thumbprint of a certificate in cache, CryptoAPI treated the received certificate as verified, even if the actual contents of the two certificates did not match exactly.

That opens the door for cyberattackers to introduce an imposter certificate.

**MD5 Thumbprints: An Incorrect Assumption**

Prior to the patch, "Microsoft inherently trusts the validity of cached certificates and doesn’t perform any additional validity checks after an end certificate is found in the cache," Akamai said in its report. While this by itself is a reasonable assumption, CryptoAPI's trust that two end certificates are identical if their MD5 thumbprints match "is an incorrect assumption that can be exploited, and was the genesis of the patch," Akamai noted.

To prove how an attacker could exploit the issue, Akamai researchers first generated two certificates — one legitimately signed and the other malicious — and rigged them so they would both end up having the same MD5 thumbprints. They then devised a way to serve the first, legitimate certificate to an application with a vulnerable version of CryptoAPI (in this case, an old version of Chrome — v48). Once the application had verified the certificate and stored it in its end certificate cache, Akamai showed how an attacker could then use a man-in-the-middle attack to serve the second malicious certificate to the same application and have it be verified as authentic.

Two conditions need to exist for the attack to work, Rozenshein says. One is that the application needs to be missing the Windows patch that Microsoft released last August. The other is that the application must use CryptoAPI for certificate verification and enable a CryptoAPI feature called "end certificate caching." The feature is disabled by default on CryptoAPI, but some applications enable it to boost performance. It is these applications that attackers can target, if an organization has not patched them.

"We are still actively researching and looking to find more vulnerable applications," Rozenshein says.

**Easy to Exploit**

Rozenshein says an attacker with control over a network can exploit the flaw without much difficulty. "They will need to compute an MD5 collision, but this can be done in advance, cheaply and in only a few hours," he says pointing to previous research that has shown how it is possible for an attacker to generate two certificates with the same MD5 thumbprint.

Once the MD5 thumbprint is calculated, the attack can be carried out easily, Rozenshein says. How an attacker carries out the next two phases of the attack (serving the two certificates) depends on the type of application being targeted, he adds: "In the case of Web browsers, we have found that simply resetting the connection after the first phase has been completed causes the browser to immediately try to reconnect. This is when the attack switches to the second phase."

Microsoft did not immediately respond to a request for comment on Akamai's research or PoC attack.

CVE-2022-34689 is the second flaw in CryptoAPI that the NSA has disclosed to Microsoft in recent years. In 2020, they reported a similar issue, tracked as CVE-2020-061, or the Curveball vulnerability. Akamai assessed the more recently disclosed flaw as presenting less of a threat than CurveBall because there are more prerequisites attached to it and therefore has a more limited scope of vulnerable targets.

Researchers Pioneer PoC Exploit for NSA-Reported Bug in Windows CryptoAPI

Encrypted backups for several GoTo remote work tools were exfiltrated from LastPass, along with encryption keys.

The GoTo remote work tool software platform has confirmed that encrypted backups for several of its tools, including Central, Pro, join.me, Hamachi, and RemotelyAnywhere, were exfiltrated, along with some encryption keys, in last November's compromise of the LastPass cloud-based password keeper.

The compromised GoTo data could include usernames, salted and hashed passwords, some multifactor authentication (MFA) settings, product settings, and licensing information, according to the company's recent disclosure.

Impacted customers will be contacted by GoTo directly, and all affected users will have their passwords and MFA settings reset, according to a post from GoTo CEO Paddy Srinivasan, which included details on the breach.

"In addition, we are migrating their accounts onto an enhanced identity management platform, which will provide additional security with more robust authentication and login-based security options," Srinivasan added.

Last December, LastPass confirmed the theft of customer data — a follow-on cyberattack from the previous August, when the LastPass source code was stolen.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

GoTo Encrypted Backups Stolen in LastPass Breach

Don't make perfect the enemy of good in vulnerability management. Context is key — prioritize vulnerabilities that are actually exploitable. Act quickly if the vulnerability is on a potential attack path to a critical asset.

The widespread vulnerability that first appeared in Apache Log4j in 2021 will continue to be exploited, potentially even in worse ways than we've seen to date. The more worrisome aspect of these threats is that there's a good chance they'll continue to be exploited months or years into the future.

The Department of Homeland Security's Cyber Safety Review board debuted in 2021, and in 2022 released its inaugural safety report (PDF). In it, the board called Log4j an "endemic vulnerability," chiefly because there isn't a comprehensive "customer list" for Log4j, making keeping up with vulnerabilities a near-impossible task. One federal Cabinet department even spent 33,000 hours on its Log4j response.

And many organizations and security solutions on the market fail to identify the difference between exploitability and vulnerability — leaving an opportunity for attackers to carry out malicious activity.

**Exploitability vs. Vulnerability**

One of the key issues with cybersecurity today is understanding the difference between vulnerabilities and their severity. When it comes to measuring exploitability versus a vulnerability, there's a big difference between whether a security threat is exploitable within your business or if it's just "vulnerable" and cannot hinder the business or reach a critical asset. Security teams spend too much time not understanding the difference between the two and fix each vulnerability as it comes, instead of prioritizing those that are exploitable.

Every company has thousands of common vulnerabilities and exposures (CVEs), many of which score high on the Common Vulnerability Scoring System (CVSS), so it's impossible to fix them all. To combat this, the hope is that risk-based vulnerability management (RBVM) tools will make prioritization easier by clarifying what is exploitable.

However, security prioritization approaches that combine CVSS scores with RBVM threat intel don't provide optimal results. Even after filtering and looking just at what is exploitable in the wild, security teams still have too much to handle because the list is long and unmanageable. And just because a CVE doesn't have an exploit today doesn't mean that it won't have one next week.

In response, companies have been adding predictive risk AI, which can help users understand if a CVE might be exploited in the future. This still isn't enough and leads to too many issues to fix. Thousands of vulnerabilities will still show to have an exploit, but many will have other sets of conditions that have to be met to actually exploit the problem.

For example, with Log4j, the following parameters need to be identified:

*   Does the vulnerable Log4j library exist?
*   Is it loaded by a running Java application?
*   Is the JNDI lookup enabled?
*   Is Java listening to remote connections, and is there a connection for other machines?

If the conditions and parameters aren't met, the vulnerability isn't critical and shouldn't be prioritized. And even if a vulnerability could be exploitable on a machine, so what? Is that machine extremely critical, or maybe it isn't connected to any critical or sensitive assets?

It's also possible the machine isn't important yet it can enable an attacker to continue toward critical assets in stealthier ways. In other words, context is key — is this vulnerability on a potential attack path to the critical asset? Is it enough to cut off a vulnerability at a chokepoint (an intersection of multiple attack paths) to stop the attack path from reaching a critical asset?

Security teams hate vulnerability processes and their solutions, because there are more and more vulnerabilities — nobody can ever fully wipe the slate clean. But if they can focus on what can create _damage_ to a critical asset, they can have a better understanding of where to start.

**Combating Log4j Vulnerabilities**

The good news is that proper vulnerability management can help reduce and fix the exposure to Log4j-centric attacks by identifying where the risk of potential exploitation exists.

Vulnerability management is an important aspect of cybersecurity and is necessary for ensuring the security and integrity of systems and data. However, it's not a perfect process and vulnerabilities can still be present in systems despite best efforts to identify and mitigate them. It's important to regularly review and update vulnerability management processes and strategies to ensure that they are effective and that vulnerabilities are being addressed in a timely manner.

The focus of vulnerability management should not only be on the vulnerabilities themselves, but also on the potential risk of exploitation. It is important to identify the points where an attacker may have gained access to the network, as well as the paths they may take to compromise critical assets. The most efficient and cost-effective way to mitigate the risks of a particular vulnerability is to identify the connections between vulnerabilities, misconfigurations, and user behavior that could be exploited by an attacker, and to proactively address these issues before the vulnerability is exploited. This can help to disrupt the attack and prevent damage to the system.

You should also do the following:

*   **Patch:** Identify all your products that are vulnerable to Log4j. This can be done manually or by using open source scanners. If a relevant patch is released for one of your vulnerable products, patch the system ASAP.
*   **Workaround:** On Log4j versions 2.10.0 and above, in the Java CMD line, set the following: log4j2.formatMsgNoLookups=true
*   **Block:** If possible, add a rule to your Web application firewall to block: "jndi:"

Perfect security is an unachievable feat, so there's no sense making perfect the enemy of good. Instead, focus on prioritizing and locking down potential attack paths that continuously improve security posture. Identifying and being realistic about what actually is vulnerable versus what is exploitable can help do this, since it will allow the ability to strategically funnel resources toward critical areas that matter the most.

Source

DARKReading