Direct cyberattacks on vehicles are all but unheard of. In theory though, the opportunity is there to cause real damage — data extraction, full system compromise, even gaining access to safety-critical systems.

Source: Marin Tomas via Alamy Stock Photo

Six unpatched vulnerabilities in a Mazda in-vehicle infotainment (IVI) system could be exploited with a simple USB in a moments' time, and one of them has legitimate consequences to vehicle safety.

These days, cars are just computers on wheels, and IVIs are their user interface. The IVI in most Mazda vehicles of recent years — like the Mazda3 and CX-3, 5, and 9 — are built with the Mazda Connect Connectivity Master Unit (CMU), developed by the Michigan-based Visteon Corporation. The CMU is a core hardware component that enables various connectivity services: smartphone integration, a Wi-Fi hotspot, and various remote monitoring and control features.

Recent research through Trend Micro's Zero Day Initiative (ZDI) has surfaced half a dozen vulnerabilities in the Mazda IVI. A few of them enable full system compromise, and access to various sensitive data. One of particular note could enable an attacker to pivot to the vehicle's Controller Area Network (CAN) bus — the central nervous system connecting its various component parts.

None of the vulnerabilities have been assigned a value according to the Common Vulnerability Scoring System (CVSS) yet. All of them remain unpatched as of this writing. On the plus side: They all require that an attacker physically insert a malicious USB into the center console. Such a scenario — carried out by a carjacker, or possibly a valet or dealer — is essentially unheard of in the real world to date.

Dark Reading has reached out to Visteon for further comment on this story.

**6 Mazda IVI Security Bugs**

Three of the vulnerabilities — CVE-2024-8358, CVE-2024-8359, and CVE-2024-8360 — target functions used to locate and extract specific files during software updates. Because the provided file path is not sanitized, an attacker can step in with their own malicious injection, which gets executed at the root level of the system. With a specially crafted command, this one-step hack could facilitate a full system takeover.

Another way to skin this cat would be to take advantage of CVE-2024-8357, affecting the CMU's System on Chip (SoC) running Linux. The SoC's boot process has no authentication in place, so an attacker with the ability to execute code can take advantage to manipulate files, establish persistence through reboots, and establish control over the system even before it boots up.

The Mazda IVI; Source: Trend Micro's ZDI

CVE-2024-8355 might seem at first a bit different from the rest but, in reality, it's caused by the same underlying problem: lack of sanitization of input data.

To establish a connection with an Apple device, the CMU will request the device's serial number. Because it doesn't apply scrutiny to that value, a spoofed device can send specially crafted SQL code instead. The system's DeviceManager will run that code at the root level, enabling all kinds of malicious outcomes: database exposure, arbitrary file creation, etc.

Last, but certainly not least, is CVE-2024-8356, a missing verification during the CMU software update process. This one, however, affects the unit's other processor, the Verification IP Microcontroller Unit (VIP MCU). The VIP MCU is designed to be separate from the SoC for security purposes, because instead of running the operating system, it connects to the vehicle's CAN bus. The CAN bus, in turn, connects the rest of the vehicle: everything from climate control to the engine and airbags. With a tampered firmware image, ZDI demonstrated that one can jump the SoC to manipulate the VIP MCU, and from there reach the CAN bus.

**Serious, But Unlikely Consequences**

"In truth, it's hard to predict what an attacker could do once they have access to a CAN bus," says Dustin Childs, head of threat awareness at ZDI. "Since the CAN bus serves as the nervous system of the vehicle, a threat actor could potentially impact whatever electronic control units (ECUs) or components that interact with the CAN bus." Translation: Attackers can subvert just about any conceivable part of the vehicle.

"The worst case scenario would be an attacker impacting the driving characteristic of the car, rendering it unsafe to operate," he adds.

Still, the threat is immaterial. For all of the exploits demonstrated by researchers, actual criminals still consistently stick to those older tried-and-true methods of compromise: a stolen set of keys; an unfurled clothes hanger slipped artfully in between a window and a door frame; or a rock, a window, and a good baseball toss.

"At this point, there isn't a lot of real-world impact," Childs admits. "However, as cars become more connected, remote exploitation becomes more realistic. In the last Pwn2Own Automotive, the team from Synacktiv exploited the modem of the Tesla Model 3 over-the-air to reach and interact with the onboard systems of the vehicle. It's just a matter of time until a complete, remote vehicle takeover becomes a real possibility."

He adds, "That's why manufacturers should build in security to each component and not rely on the defenses of other modules. A vehicle should have a multilayered protective system that assumes every message may be from a compromised source. The more we get ahead of the problem now, the easier it will be to react to it in the future."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

6 Infotainment Bugs Allow Mazdas to Be Hacked With USBs

It remains unclear how the attackers gained access to Newpark Resources' system, or what they plan to do with any stolen data the strike may have spewed out.

Source: Don Mammoser via Alamy Stock Photo

Newpark Resources, a Texas-based oil drilling fluids system and composite matting systems provider, announced in a filing with the Securities and Exchange Commission (SEC) that it is dealing with the fallout of a ransomware attack it faced earlier this week.

The company has not shared details as to how the attackers gained access to its network, nor who the threat actors are or why they may have targeted Newpark. But after the breach was discovered, Newpark engaged its security response plan as expected and limited access to certain parts of its systems.

"The incident has caused disruptions and limitation of access to certain of the company's information systems and business applications supporting aspects of the company's operations and corporate functions, including financial and operating reporting systems," Newpark said.

According to Matt Hull, global head for Strategic Threat Intelligence at cybersecurity consultancy NCC Group, any data stolen from the critical infrastructure company has not yet appeared on any leak sites.

And because the company reverted to downtime procedures in response to the attack, it was able to continue manufacturing, and its field operations were uninterrupted. It hopes the attack will not have an effect on its financial conditions, it said.

"Organizations are facing an increasingly pressing challenge: maintaining the security benefits of segmentation while enabling controlled connectivity," stated Chris Grove, director of cybersecurity strategy at Nozomi Networks, in an emailed statement to Dark Reading. "Industrial organizations will need to ensure their defenders can quickly isolate and contain threats, while preventing interruptions to critical operations. This is especially important for sectors where downtime has serious consequences in terms of public safety and economic impact, as would be the case with a critical infrastructure sector."

**About the Author**

Mystery Hackers Target Texas Oilfield Supplier in Ransomware Attack

The European Union's Digital Operational Resilience Act requires financial entities to focus on third-party risk, resilience, and testing.

Source: Sikov via Adobe Stock Photo

COMMENTARY 

January 2025 is a big month for the finance industry – and the clock is ticking. The Digital Operational Resilience Act (DORA) is set to shape how financial entities, such as banks, insurance companies, and investment firms, approach their IT infrastructure and data security. According to Article 3 (1), this regulation will enhance "the ability of a financial entity to build, assure and review its operational integrity and reliability."

Although IT security and digital resilience form a part of the reforms that followed the 2008 financial crisis, they've taken a back seat over the years. DORA aims to address the rising cyber threat.  

Member states across the European Union have until January to comply with this new regulation or risk severe fallout. A breach could result in fines of up to 2% of an organization's total annual worldwide revenue or up to 1% of the company's average daily worldwide revenue.  

Despite the urgent call to action, delays are making it difficult for institutions to prepare. While the scoping and harmonization templates were due to the commission in July, public release is uncertain. There are currently no sets of controls or technical standards, so how are those being impacted meant to prepare? 

But with time running out, financial entities do not have the luxury of watching and waiting. Without any real guidance, it's in their best interest to take matters into their own hands and do what they can with the information they have.

**Size Equals Complexity **

As with many new regulations, one of the key challenges is complexity – and DORA takes that to a whole new level, with six chapters and over 280 articles. It introduces a series of new standards and controls that companies must meet and for which a complete restructure of processes may be required.

Remember, DORA is a regulation, not a framework, so comprehending the many requirements is job No. 1 for organizations. To ensure compliance, organizations need full visibility over all company assets. This allows organizations to continuously monitor all systems and identify and address any potential gaps in security. 

**You Can't Protect What You Can't See **

Technology is a borderless entity; DORA calls for complete visibility, despite the vast array of interconnected devices used by firms. The new regulation focuses heavily on data and providing clear and actionable evidence. DORA places a particular emphasis on third-party risk, resilience, and testing – areas currently without an existing framework and becoming more vulnerable every year. 

PCI security standards, for example, focus solely on protecting credit card information. NIST's Cybersecurity Framework covers certain elements of recovery and fills the gap left by PCI, but it still doesn't cover reporting. DORA, on the other hand, doesn't focus so much on penetration testing but more on threat-based testing, requiring organizations to emulate a threat rather than conduct a vulnerability scan.  

So instead of monitoring for any existing cybersecurity vulnerabilities, the new regulations require organizations to monitor for any potential weaknesses – identifying and rectifying them before they can trigger unnecessary risk. This approach minimizes the risks of vulnerabilities developing and ensures organizations have real-time updates on the state of their security. 

**What Can Business Do at This Stage? **

One thing DORA is very clear on is an emphasis on results and the need to continually monitor for threats. This regulation should not to be taken lightly. Under DORA, authorities have the power to request data and execute powers to assess a company's compliance with these regulations.  

As a first step, organizations should conduct a thorough gap-analysis exercise to identify areas in need of improvement – within their own business as well as across their supply chains. Ahead of January, organizations must ensure that their risk management strategies are up to date. Right or wrong, DORA assumes firms have a sufficient risk management framework in place. The same is expected of parties in the supply chain, although how far down the chain is yet to be determined.  

All parties involved need to obtain and maintain detailed knowledge of all critical assets at any given time. Tools that continuously monitor all assets provide real-time critical information on processes across the company. Only through continuous monitoring can organizations understand where the gaps in their security are and ensure they are properly addressed. 

Regardless of delays, DORA is coming and businesses must be prepared. Organizations that view this incoming regulation as more than just another push for compliance – and instead a platform from which to truly enhance their security posture – will gain that all-important competitive edge. Through continuous monitoring and effective threat management, organizations will achieve a new level of protection across their entire network.  

**About the Author**

CEO, Quod Orbis

Martin Greenfield is the CEO of Continuous Controls Monitoring solutions provider, Quod Orbis. He has over two decades in the cyber security space. With his team, Martin helps deliver complete cyber controls visibility for our clients via a single pane of glass, through Quod Orbis’ Continuous Controls Monitoring (CCM) platform. Their clients can see and understand their security and risk posture in real time, which in turn drives their risk investment decisions at the enterprise level.

Preparing for DORA Amid Technical Controls Ambiguity

The journey toward a successful DevSecOps implementation is complex, requiring a strategic approach to overcome the myriad challenges it presents.

Debrup Ghosh, Principal Product Manager, F5 Inc.

November 8, 2024

4 Min Read

Source: Maskot via Alamy Stock Photo

COMMENTARY

In the evolving landscape of software development, the integration of DevSecOps has emerged as a critical paradigm, promising a harmonious blend of development, security, and operations to streamline feature delivery while ensuring security. However, the path to achieving this seamless integration is fraught with hurdles — ranging from the lack of security training among developers to the complexity of security tools, the scarcity of dedicated security personnel, and the generation of non-actionable security alerts.  

Historically, there has been a palpable tension between members of development teams, who prioritize rapid feature deployment, and security professionals, who focus on risk mitigation. This discrepancy often results in a "the inmates are running the asylum" scenario, where developers, driven by delivery deadlines, may inadvertently sideline security, leading to frustration among security teams. However, the essence of DevSecOps lies in reconciling these differences by embedding security into the development life cycle, thereby enabling faster, more secure releases without compromising productivity. Let's explore strategies for embedding security into the development process in a harmonious manner, thereby enhancing productivity without compromising on security. 

**The DevSecOps Imperative**

The adoption of DevSecOps marks a significant shift in how organizations approach software development and security. By weaving security practices into the development and operations processes from the outset, DevSecOps seeks to ensure that security is not an afterthought but a fundamental component of product development. This approach not only accelerates the deployment of features but also significantly reduces the organizational risk associated with security vulnerabilities. Yet, achieving this delicate balance between rapid development and stringent security measures requires overcoming substantial obstacles. 

**Understanding Your Risk Portfolio**

The foundation of effective DevSecOps implementation lies in gaining a comprehensive understanding of the organization's risk portfolio. This involves a thorough assessment of all software resources, including the codebase of applications and any open source or third-party dependencies. By integrating these assets into a centralized system, security teams can monitor security and compliance, ensuring that risks are identified and addressed promptly. 

**Automating Security Testing**

Automating security testing represents another cornerstone of effective DevSecOps. By embedding risk management policies directly into DevOps pipelines, organizations can shift the responsibility of initial security assessments away from developers, allowing them to focus on their core tasks while still ensuring that security is not compromised. This automation not only streamlines the security testing process but also ensures that vulnerabilities are promptly flagged to the security teams for further action. 

**Continuous Monitoring for Proactive Security**

Continuous monitoring is a critical component of DevSecOps, enabling organizations to maintain a vigilant watch over their repositories. By automatically triggering security tests upon any change in the codebase, this approach minimizes the need for developer intervention, ensuring that security checks are an integral, ongoing part of the development life cycle. 

**Simplifying the Developer Experience**

To truly integrate security into the development process, it is imperative to simplify the developer experience. This can be achieved by enabling developers to access information about security vulnerabilities within their familiar working environments, such as the integrated development environment (IDE) or bug-tracking tools. By making security an intrinsic aspect of their daily tasks, developers are more likely to embrace these practices, reducing the friction associated with external security mandates. 

**Conclusion**

The journey toward a successful DevSecOps implementation is complex, requiring a strategic approach to overcome the myriad challenges it presents. By fostering a culture of collaboration, automating security processes, and integrating security into the fabric of development workflows, organizations can mitigate risks without sacrificing speed or innovation. The goal of DevSecOps is not to hinder development with security but to empower developers with the tools and processes needed to build secure, high-quality software efficiently. By adopting these principles, companies can move beyond the "inmates running the asylum" paradigm to a more balanced, productive, and secure software development life cycle.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of his employer.

**About the Author**

Principal Product Manager, F5 Inc.

Debrup Ghosh is a seasoned product management leader with extensive experience in cybersecurity, SaaS, and AI-driven solutions. Currently a principal product manager at F5 Networks, he leads the development of cutting-edge Web application and API protection (WAAP) products with a focus on AI/ML innovations. Debrup has a proven track record of driving product success at major companies including Synopsys, Verizon, and Michelin. His leadership has earned him multiple global awards, including the 2024 Stevie Awards. A recognized thought leader, his insights have been featured in media outlets such as CNN and Forbes. Debrup holds an MBA from the University of California, Irvine, and a bachelor of technology from the National Institute of Technology, Tiruchirappalli.

How Developers Drive Security Professionals Crazy

PRESS RELEASE

Clearwater, Fla. – October 29, 2024 – According to a new AI Opportunity Report from remote connectivity and workplace digitalization solution company TeamViewer, 80% of U.S. business leaders say their organization’s AI adoption is mature, and 65% are sick of the hype and demand practical implementations of AI for their businesses. Leading from the C-suite, 81% of U.S. key decision makers currently use AI at least weekly, up from 60% last year, a notable 35% increase year-over-year. 

Most U.S. business leaders (72%) also agree that AI is vital to improving their organization’s financial outcomes. Along these lines, two-thirds (66%) agree that AI will positively affect revenue over the next year, with respondents saying that the technology makes an average of 249% revenue growth possible. Nearly a quarter of U.S. respondents (23%) believe that not implementing AI technology risks falling behind competitors and 24% foresee increased costs due to a lack of automation.

Successfully integrating AI into remote connectivity support is a prime example of how efficiencies can lead to better financial outcomes. Enter TeamViewer’s new AI-powered Session Insights.

AI-Powered Session Insights 

Aimed at helping IT teams boost efficiency and streamline operations, Session Insights is now being added to TeamViewer’s Tensor remote connectivity solution to automate session documentation and provide analytics, enabling faster handovers and smarter decision-making. By optimizing resources and capturing valuable knowledge, the new capabilities empower IT support teams to resolve issues faster, improve customer satisfaction, and scale expertise, even with limited staff.  

The new features will help internal IT teams better manage employee help desk requests and will also aid customer support teams providing remote assistance to keep their products onsite and customers up and running and aligned with uptime agreements. 

“AI adoption is growing rapidly as businesses increasingly recognize its tangible benefits in driving productivity and streamlining operations. Our research reveals that 81% of decision-makers now engage with AI at least weekly, a substantial rise from last year’s 60%. With the launch of TeamViewer’s new AI-powered Session Insights, we're enabling organizations to make smarter decisions and optimize processes while adhering to the highest security and data privacy standards. We uphold stringent encryption practices to safeguard customer data, ensuring secure processing, while also providing admins the control to enforce company-wide policies and keeping users informed every step of the way,” said Mei Dent, Chief Product and Technology Officer, TeamViewer. 

Trust, Security, Career Advancement & Equality

The report also delves into a variety of other topics gauging business leaders’ current perceptions of AI, including: 

*   Trust in AI: 50% of U.S. business leaders trust AI to act on business forecasts and make business decisions with an impressive 42% trusting AI to make decisions without human oversight.
    
*   Security: 75% of U.S. business leaders are concerned about data management in the use of AI and 67% would consider banning the use of AI outside of the IT team.
    
*   Career Advancement: 75% of U.S. business leaders believe AI is a key skill to enhance their career and 73% say AI has given them the chance to learn new skills they otherwise would not have.
    
*   The Great Equalizer: 72% of U.S. business leaders believe AI can help create equal job opportunities for parents and caregivers while 79% think AI can help increase accessibility in the workplace.
    

With 73% of U.S. respondents believing AI will drive the biggest productivity boom in a century and business leaders reporting that AI saves U.S. IT professionals approximately 16 hours per month, there is clearly huge momentum for increasing AI use in business, including TeamViewer’s AI-powered Session Insights, which integrates with Microsoft Teams and ServiceNow. More information can be found here.  

Survey Methodology 

In The AI Opportunity Report, TeamViewer uncovers the attitudes of 1,400 (500 in the U.S.) information technology, business, and operational technology decision makers towards Artificial Intelligence, across the UK, France, Germany, Australia, Singapore, and the U.S. The research was conducted online by Sapio Research in August and September 2024. 

About TeamViewer

TeamViewer is a leading global technology company that provides a connectivity platform to remotely access, control, manage, monitor, and repair devices of any kind – from laptops and mobile phones to industrial machines and robots. Although TeamViewer is free of charge for private use, it has more than 640,000 subscribers and enables companies of all sizes and from all industries to digitalize their business-critical processes through seamless connectivity. Against the backdrop of global megatrends like device proliferation, automation and new work, TeamViewer proactively shapes digital transformation and continuously innovates in the fields of Augmented Reality, Internet of Things and Artificial Intelligence. Since the company’s foundation in 2005, TeamViewer’s software has been installed on more than 2.5 billion devices around the world. The company is headquartered in Göppingen, Germany, and employs more than 1,500 people globally. In 2023, TeamViewer achieved a revenue of around EUR 627 million. TeamViewer SE (TMV) is listed at Frankfurt Stock Exchange and belongs to the MDAX. Further information can be found at www.teamviewer.com.

Business Leaders Shift to Tangible AI Results, Finds New TeamViewer Study

PRESS RELEASE

ESPOO, Finland, and LONDON, UK, 30th October, 2024:  Xiphera, a provider of highly-optimised, hardware-based cryptographic security, today announced its partnership with Crypto Quantique, a provider of quantum-driven IoT device security. The combination of Xiphera’s nQrux® Hardware Trust Engines and quantum-secure cryptographic IP, with Crypto Quantique’s QDID PUF (Physically Unclonable Function), offers quantum-resilience and immutable device identity for cryptographic hardware modules.  
The QDID PUF generates quantum-derived, secure, unclonable identities based on manufacturing variations unique to each semiconductor chip. The PUF, alongside other cryptographic primitives, forms the essential hardware root-of-trust IP required in security implementations.  
nQrux Hardware Trust Engines offer customisable cryptographic security modules with hardware-level trust and security services for the most critical environments and applications. nQrux IP cores enable full isolation of cryptographic operations and application-specific data into secure hardware elements. Xiphera’s extensive portfolio of cryptographic IP cores includes both traditional cryptographic algorithms, as well as Post-Quantum Cryptography (PQC) fighting against the looming quantum threat.  
“Many industrial and governmental entities recommend implementing quantum-resilient hardware solutions to prevent quantum attacks on current and future data. Cryptographic root-of-trust forms the security foundation of modern hardware infrastructures”, said Kimmo Järvinen, co-founder and CTO of Xiphera. “Upgrading these critical components to quantum-resilient algorithms and integrating Crypto Quantique’s PUF technology enables our customers to protect the identities and core security of their hardware devices into the foreseeable future.”  
Crypto Quantique’s CEO, Shahram Mossayebi, said, “The combination of nQrux Hardware Trust Engines and QDID provides the adaptability and upgradeability required for the security of connected devices. QDID creates random numbers on demand, so there is no need to store cryptographic keys in flash memory. This eliminates the danger of side-channel memory attacks revealing the keys. In addition, because PQC algorithms have large cryptographic keys, the PUF technology reduces the size of flash memory needed, reducing both power consumption and saving silicon area.”  
Learn more about Xiphera’s nQrux Hardware Trust Engines, and Crypto Quantique’s QDID IP cores.

You May Also Like

Xiphera &amp; Crypto Quantique Announce Partnership

Chinese APT groups increasingly lean on open source platform SoftEther VPN for network access. Now they're lending their know-how to Iranian counterparts.

Source: Owen McGuigan via Alamy Stock Photo

Infamous Chinese advanced persistent threat (APT) group "MirrorFace" has made notable moves into diplomatic espionage in the European Union using SoftEther VPN, the emerging tool of choice among these threat groups.

MirrorFace gained wide notoriety with its 2022 efforts to interfere in Japanese elections, and it has maintained operations in the country ever since. But researchers at ESET noticed the group recently popped up in the EU with espionage attacks against an unidentified diplomatic entity.

"For the first time, we observed MirrorFace targeting a diplomatic organization within the EU, a region that remains a focal point for several China-, North Korea-, and Russia-aligned threat actors," Jean-Ian Boutin, director of threat research at ESET, said in a statement about the findings. "Many of these groups are particularly focused on governmental entities and the defense sector."

**SoftEther VPN Abuse Surges Among Beijing-Backed APT Groups**

Beyond expanding operations to an entirely new continent, ESET said MirrorFace has started increasingly relying on SoftEther VPN to maintain access, but it is not the only group. Other China-backed APTs — Flax Typhoon, Gallium, and Webworm — have also shifted to the open source, cross-platform VPN software favored by many cybercriminals.

In February, a previously unknown adversary group called Hydrochasma was discovered abusing SoftEther VPN in a cyber-espionage campaign against Asia-based shipping companies. In April, Chinese language-speaking threat group ToddyCat was discovered using SoftEther VPN to steal data from government and defense targets in the Asia-Pacfic region on an "industrial scale."

Now, researchers warn, those tactics have landed in Europe.

"Some China-aligned APT groups have shifted to rely more on SoftEther VPN for various reasons. It’s a legitimate software, which helps avoid detection," says Mathiew Tartare senior malware researcher at ESET. "Setting an HTTPS VPN tunnel between the compromised network and the attacker’s infrastructure allows them to easily blend the malicious traffic in the legitimate HTTPS traffic."

Tartare adds SoftEther VPN also lets attackers appear to be an authorized remote user accessing the network using everyday remote desk protocol (RDP) tools.

"We would not be surprised to observe an increase in the use of SoftEther VPN and other legitimate VPN or remote access tools to bypass detections and blend into legitimate traffic," he says.

Notably, Chinese-backed APTs are also lending their cybercrime know-how to Iranian-backed adversaries for cyber-espionage against Iraq and Azerbaijan, as well as French diplomats, according to ESET. Additionally, Iran is putting its hackers to work gaining unauthorized access into financial services organizations across Africa.

Both Chinese and North Korean threat actors have upped the intensity of attacks on educational institutions in the US, South Korea, and Southeast Asia, the ESET report added.

China-Backed MirrorFace Trains Sights on EU Diplomatic Corps

PRESS RELEASE

TORONTO, Oct. 30, 2024 /PRNewswire/ -- In 2024, Canadian banks have seen just 34% of the reported fraud cases they experienced a year ago. And yet, Canadian retail banking customers appear on pace to lose as much as or more than the $569 million they lost to fraud in 2023 (triple what they lost in 2021). BioCatch – the global leader in digital fraud detection and financial crime prevention powered by behavioral biometric intelligence – says these findings suggest fraudsters have altered their strategies, honing attacks to target fewer Canadians for more money per scam.

"While fraud volumes have decreased significantly over the last year, we're observing an increase in the average value of these cases," BioCatch Director of Global Fraud Intelligence Tom Peacock said. "We can attribute much of this to the rise in social engineering scams in Canada, particularly impersonation scams, which are notoriously higher value than other fraud types. More than 70% of impersonation scam losses in Canada originate from five-figure cases, greatly boosting the country's scam-loss average."

BioCatch's 2024 Digital Banking Fraud Trends in Canada report, also highlights that most Canadian fraud victims are now ages 20-49 instead of 50-89, debunking the common misconception that older people provide easier and more lucrative targets.

"Artificial Intelligence is super-charging fraud," BioCatch Global Advisory Director Seth Ruden said, "compounding its impact, and allowing bad actors to scale and sophisticate their scams with deepfakes and other devices. As the industry deploys the newest authentication methods in both account opening and account takeover processes, fraudsters will undoubtedly attack these as well."

BioCatch also found one in seven scam sessions in Canada showed signs of remote access trojans (RAT), whether active RAT (where the fraudster tricks the victim into granting them control of the session so they can execute the fraud themselves) or passive RAT (where the fraudster guides the victim through payment process).

Click here to access BioCatch's complete 2024 Digital Banking Fraud Trends in Canada report.

BioCatch fraud prevention experts Tom Peacock and Seth Ruden will hold a live conversation about the growth of social engineering scams in Canada and the other latest fraud trends in the country on Nov. 14. To register for that exclusive session, click here.

About BioCatch:

BioCatch stands at the forefront of digital fraud detection, pioneering behavioral biometric intelligence grounded in advanced cognitive science and machine learning. BioCatch analyzes thousands of user interactions to support a digital banking environment where identity, trust, and ease coexist. Today, 32 of the world's largest 100 banks and 210 total financial institutions rely on BioCatch Connect™ to combat fraud, facilitate digital transformation, and grow customer relationships. BioCatch's Client Innovation Board – an industry-led initiative featuring American Express, Barclays, Citi Ventures, HSBC, and National Australia Bank – collaborates to pioneer creative and innovative ways to leverage customer relationships for fraud prevention. With more than a decade of data analysis, 92 registered patents, and unmatched expertise, BioCatch continues to lead innovation to address future challenges. For more information, please visit www.biocatch.com.

Canadians Expected to Lose More Than $569M to Scams in 2024

Questions remain over what a corporate ban will achieve, since Canadians will still be able to use the app.

Source: SOPA Images Limited via Alamy Stock Photo

ByteDance is being exiled from Canada, though the TikTok app is not.

Following the US's example, Canada has spent recent years rubbing up against the world's most popular Chinese app. In February 2023, TikTok was banned from all government devices, citing security concerns. Later that year, the government called for a broader national security review under the 1985 Investment Canada Act, which empowers the government to scrutinize foreign investments.

In concluding that review, the minister of Innovation, Science and Economic Development Canada (ISED) — a federal agency responsible for regulating and supporting various aspects of the country's economy, industry, and scientific endeavors — unveiled a significant, though not comprehensive, development in his country's approach.

To address "specific national security risks," the minister said yesterday, the offices of TikTok Technology Canada Inc. — the Canadian subsidiary of ByteDance, TikTok's parent company — must now be shuttered. However, he noted, the government will not actually block any Canadians from using the app, as "the decision to use a social media application or platform is a personal choice."

**TikTok vs. Governments**

Ever since TikTok blew up during the COVID-19 pandemic, governments worldwide have struggled with how to administer: Ban it, to the chagrin of millions, or don't, and risk consequences to mass privacy and national security.

Concern is widespread that the Chinese Communist Party (CCP) could conduct data gathering and spying through TikTok, since it wields potentially unlimited authority over Chinese companies. And "The CCP has long been known for having an enormous capability to gather otherwise benign-looking datasets, and to process them to produce intelligence to further its national interests," notes Casey Ellis, founder and adviser at Bugcrowd. "While it can easily be argued that Western governments and companies are capable of the same, the CCP's national interests are at best competitive, and at worst disruptive to the national interests of the West."

Blocking the app to prevent CCP data gathering is controversial, however, since it's massively popular, and there is no definitive, significant proof of such malicious activity to date. A few scattered countries have done so (for varying reasons), most notably India in 2020, but most have taken up solutions somewhere in the middle.

In 2020, President Trump signed executive orders effectively forcing ByteDance to sell TikTok to an American company, or else face a national ban. President Biden's No TikTok on Government Devices Act banned the app in government settings, and his Protecting Americans from Foreign Adversary Controlled Applications Act carried the forced sale idea from the Trump administration. US policy is likely to subside now that Trump has been elected again. "Trump has made strong moves against ByteDance in the past," Ellis notes. "He has a reputation for being tough on China, and for operating on the assumption that China is competitive to the US as a great power. I think we'll see more activity around addressing 'creeping threats' from ByteDance and other Chinese companies, particularly those with a larger and established presence, both in the US and amongst its allies, over the coming year."

Meanwhile, in 2023, the Canadian government took parallel actions. And just as it had in the US, TikTok says it will challenge Canada's latest ruling in court.

**What Would Actually Solve TikTok Privacy?**

Debate has now begun over whether banning the corporate half of the TikTok operation will be helpful, if not abjectly harmful to Canada's national security aims.

As Canadian academic Michael Geist argued in a blog post, "banning the company rather than the app may actually make matters worse since the risks associated with the app will remain but the ability to hold the company accountable will be weakened," since it will no longer have a domestic presence. "It is hard to envision it prioritizing (or perhaps even complying) with Canadian regulatory processes if it is banned from formally operating in the jurisdiction."

Dark Reading has asked the ISED for its view of how the ban will benefit Canadian national security. This article will be updated when ISED's response is received.

A separate development poised to directly affect TikTok data collection in Canada is the legislation C-27, which would supersede the Personal Information Protection and Electronic Documents Act, Canada's primary privacy legislation since 2000.

C-27 packages three separate Acts: the Consumer Privacy Protection Act, the bit most relevant for TikTok user privacy; the Electronic Documents Act; and the Artificial Intelligence and Data Act. Though it may be viewed as efficient and ambitious to address so many issues at once, ongoing debates primarily around the artificial intelligence component are currently holding up the passage of the other two along with it.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Canada Closes TikTok Offices, Citing National Security

Though Cisco reports of no known malicious exploitation attempts, three of its wireless access points are vulnerable to these attacks.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Cisco is warning of a bug found in its Unified industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) access points that could allow an unauthenticated remote attacker to release command injection attacks.

An attacker could exploit the vulnerability by sending HTTP requests to the Web-based management interface of an affected system. If successful, the attacker could execute arbitrary commands with root privileges in the affected device's underlying operating system.

The vulnerability exists due to an improper validation of input to the Web-based management interface. It affects the three Cisco wireless access points (APs) if they have the URWB operating mode enabled and are running a vulnerable release: Catalyst IW9165D, Catalyst IW9165E (both APs and clients), and Catalyst IW9167E.

Devices not running URWB operating mode remain unaffected by this vulnerability. To ascertain whether URWB is enabled, users should use the "show mpls-config" CLI command.

"If the command is available, the URWB operating mode is enabled and the device is affected by this vulnerability," Cisco said. "If the command is not available, the URWB operating mode is disabled and the device is not affected by this vulnerability."

Cisco said it's unaware of any public exploitation of the vulnerability and has released a fix for the flaw, but there are no other workarounds to address it.

**About the Author**

Source

DARKReading