A security vulnerability in Rockwell Automation's ControlLogix 1756 programmable logic controllers, tracked as CVE-2024-6242, could allow tampering with physical processes at plants.

Source: Kay Roxby via Alamy Stock Photo

A security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices could open critical infrastructure to cyberattacks on the operational technology (OT) that controls physical processes.

According to Claroty's Team82, the bug (CVE-2024-6242, CVSS 8.4), could allow a remote attacker with network access to the device to send elevated commands to the CPU of a programmable logic controller (PLC), from an untrusted chassis card.

"Our technique allowed us to bypass the trusted slot feature implemented by Rockwell that enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis," Claroty researcher Sharon Brizinov explained in a blog posting on the bug.

The result? Successful attackers can download new logic for controlling a PLC's behavior, and send other elevated commands that would interfere with the physical operations of a manufacturing site.

Rockwell has issued a fix, and users are urged to apply it immediately; and the Cybersecurity and Infrastructure Security Agency has published mitigation advice, noting that exploitation is a low-complexity endeavor.

According to Rockwell, ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules, widely deployed in industrial manufacturing environments, are affected by the vulnerability.

**Manipulating the Trusted Slot Mechanism**

The 1756 chassis is a modular enclosure that houses various cards within physical slots that are responsible for communicating with sensors, actuators, and other OT equipment; they also provide the physical and electrical connections to allow those components to interoperate and talk to each other. All of the communication and connections are carried out via a shared circuit board known as the backplane, using the common industrial protocol, or CIP.

"A 1756 PLC in a production line might be connected to multiple sources via different network cards, for example, the human-machine interface (HMI) panel, engineering workstation, and other devices," Brizinov explained. "To ensure that only specific individual devices are performing elevated operations on the PLC such as download logic, a security mechanism was introduced called trusted slot."

The trusted-slot feature ensures that only authorized slots can communicate with each other, protecting against potential tampering. It does this by requiring slots to essentially authenticate to the PLC.

However, Claroty found a way around that.

"Since all slots are connected via the backplane, and CIP supports path (routing), we could generate a CIP packet that will be routed through a trusted card before it reaches the CPU," according to the blog post. "Basically, the method involved 'jumping' between local backplane slots…This technique allowed us to traverse the security boundary that was meant to protect the CPU from untrusted cards."

To prevent the exposure of critical control systems to unauthorized access over the CIP protocol, site security administrators should apply Rockwell's patches immediately:

*   ControlLogix 5580 (1756-L8z): Update to versions V32.016, V33.015, V34.014, V35.011, and later.
    
*   GuardLogix 5580 (1756-L8zS): Update to versions V32.016, V33.015, V34.014, V35.011 and later.
    
*   1756-EN4TR: Update to versions V5.001 and later.
    
*   1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A: Update to version V12.001 and later
    

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Rockwell PLC Security Bypass Threatens Manufacturing Processes

Researchers say "LianSpy" malware has been in use in a covert data gathering operation that's gone undetected for at least three years.

Source: Tero Vesalainen via Shutterstock

An unknown — and likely state-sponsored — threat actor has been using a previously unseen mobile spyware tool to spy on an unknown number of Android smartphone users. This activity has been ongoing for at least three years, according to researchers.

Until now, the campaign has focused mainly on targeted individuals in Russia, according to researchers at Kaspersky, who are tracking the threat as LianSpy. But the tactics that the spyware operators used in deploying the malware could be easily applied in other regions as well, Kaspersky says.

**Post-Exploit Malware**

"LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims' devices," Kaspersky researcher Dmitry Kalinin wrote in a blog post this week. "It remains unclear which vulnerability the attackers might have exploited in the former scenario."

LianSpy is the latest in a fast-growing list of spyware tools. The list includes widely deployed products such as the NSO Group's Pegasus Software and the Intellexa alliance's Predator. Researchers have discovered these malware instances targeting iPhone and Android smartphone users in recent years. The main purchasers — and users — of these tools are typically governments and intelligence agencies that want to spy on dissidents, political opponents and other persons of interest to them.

In many instances — as was the case with last year's Operation Triangulation iOS spyware campaign — the purveyors of mobile spyware tools have exploited zero-day flaws in Android and iOS to deliver and/or run their malware on target devices. In other instances, including one involving an Android spyware tool dubbed BadBazaar last year and another espionage tool dubbed SandStrike in 2022, threat actors have distributed spyware via fake versions of popular applications on official mobile app stores.

**A Three Year Campaign**

Kaspersky researchers first stumbled on LianSpy in March 2024 and quickly determined that the entity behind it has been using the spyware tool since July 2021. Their analysis reveals that the attackers are likely distributing the malware disguised as systems applications and financial applications.

Unlike some so-called zero-click spyware tools, LianSpy's ability to function depends, to a certain extent, on user interaction.  When launched, the malware first checks to see if it has the required permissions to execute its mission on the victim's device. If it does not have the required permissions, the malware prompts the user to provide them. When LianSpy obtains permission, it registers what is known as an Android Broadcast Receiver to receive and respond to system events such as booting, low battery, and network changes. Kaspersky researchers found LianSpy is using super user binary with a modified name ("mu" instead of "su") to try and gain root access on a victim device. Kaspersky officials say this as an indication that the threat actor delivered the malware after first gaining access to the device another way.

"Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges," Kalinin wrote. "This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone."

**Data Harvesting and Exfiltration**

LianSpy's primary function is to quietly monitor user activity by intercepting call logs, recording the device screen especially when the user is sending or receiving messages and enumerating all installed apps on the victim device. The threat actor behind the malware has not used private infrastructure for communicating with the malware or storing harvested data. Instead, the attacker has been using public cloud platforms and pastebin services for these functions.

"The threat actor leverages Yandex Disk for both exfiltrating stolen data and storing configuration commands. Victim data is uploaded into a separate Yandex Disk folder," Kaspersky said in a technical writeup on the malware.

One interesting aspect about LianSpy, according to Kaspersky, is how the malware uses its root privileges on a compromised device. Instead of using its superuser status to take complete control of a device, LianSpy uses just enough of the functionality available to carry out its mission in a quiet fashion. "Interestingly, root privileges are used so as to prevent their detection by security solutions," the security vendor says. Kaspersky researchers also found LianSpy to be using both symmetric and asymmetric keys for encrypting the data it exfiltrates, which makes victim identification impossible.

"Beyond standard espionage tactics like harvesting call logs and app lists, it leverages root privileges for covert screen recording and evasion," Kalinin said. "Unlike financially motivated spyware, LianSpy's focus on capturing instant message content indicates a targeted data-gathering operation."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Sophisticated Android Spyware Targets Users in Russia

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Someone did — or didn't — do something they should or shouldn't have, but no one wants to claim responsibility. What's your take? Send us a cybersecurity-related caption to explain the scene, above, and our favorite will win its creator a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the August 28, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Props to Marcello Delcaro, implementation manager at Exiger, whose caption for last month's "Cyber Cloudburst" contest snagged first place and a $25 Amazon gift card. Many thanks to all who played!

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Pointing Fingers

In the cloud, patches disseminate automatically. On your computer, you get notified. IoT devices, meanwhile, can escape attention for years on end.

Source: Nirbokphoto.com via Alamy Stock Photo

Tens of thousands of small office/home office (SOHO) devices sold by Ubiquiti Inc. are vulnerable on the open Internet to a five-year-old bug, researchers are warning.

In January 2019, broadband Internet expert Jim Troutman warned that an exposed port in dozens of Ubiquiti Internet of Things (IoT) gadgets was being exploited in denial-of-service (DoS) attacks. The underlying vulnerability, CVE-2017-0938, was assigned a "high" 7.5 score on the CVSS scale.

Seven months after that, researchers from Rapid7 were still able to find nearly 500,000 vulnerable devices. And now, even though Ubiquiti has long since acknowledged and patched the issue, around 20,000 devices remain vulnerable, Check Point Research noted in a new blog post.

"We can see that some of them were compromised," says Radoslaw Madej, vulnerability research team leader at Check Point Software. "Also, I've only done pretty rudimentary fingerprinting of the devices. It's quite possible that there are more of them \[compromised\] too."

Check Point also warned that besides being used in a SOHO botnet for DoS attack amplification, compromised devices can leak potentially sensitive data, too.

**Exposed Cameras & Routers Can Leak Data**

In probing Ubiquiti gadgets like the G4 Instant Camera — an Internet-enabled camera with two-way audio — Check Point homed in on port 10001, where the exposed process was first identified five years ago. The service at issue: Ubiquiti's discovery protocol, used to communicate between the device and its CloudKey+ controller.

Using spoofed packets, the Check Point researchers discovered that communicating with neither the CloudKey+ nor its connected devices required any sort of authentication. Further, the messages they received in response to their pings included specific information about the devices, plus their owners' names and locations.

"In a few instances, actually, there was a first name and the last name of a person, and what turned out to be a location where a Ubiquiti router was located," Madej recalls. "All this information … it took only one packet from me to receive that response.

"If I wanted to attack this entity, it would be easy for me, knowing the type of router they have, the name of the person, the exact software version, and their business address. \[I could\] find their contact details, and call them up saying: 'Hey, I'm calling from your Internet provider. I need to do some maintenance work. Provide me with access to the admin panel.' Because I can validate myself to this person by giving them all the information they need."

**The Issue with IoT**

Patched Ubiquiti products have a safeguard against Internet-based attacks: They do not respond to pings coming from the wider Web, only from internal IP addresses.

Despite the easy availability of such a simple fix, tens of thousands affected products in the wild remain unpatched. This seems to have a lot less to do with Ubiquiti itself than IoT security in general.

"We got used to patching our Windows machines and MacBooks and mobile phones and whatnot, but we're still not really used to the fact that we should also take care about our IoT devices, be it Wi-Fi routers, cameras, vacuum cleaners, fridges, and washing machines," Madej says.

"Of course," he adds, "the question is: To what extent an end user should even be bothered about it. We live in a time when all devices should have automatic updates enabled by default. I don't think that should be a concern of the end user."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

20K Ubiquiti IoT Cameras &amp; Routers Are Sitting Ducks for Hackers

Though TikTok is expected to adhere to certain COPPA-outlined measures, the social media giant has failed to meet those expectations, the Feds allege.

Source: Wachiwit via Alamy Stock Photo

The Justice Department, alongside the Federal Trade Commission (FTC), filed a civil lawsuit against TikTok on Aug. 2, due to allegations that the popular social media app and its parent company, ByteDance, violate children's online privacy protections.

In 2019, Musical.ly, TikTok's predecessor, was sued for violating the Children's Online Privacy Protection Act (COPPA), which prohibits website operators from knowingly collecting, using, or disclosing personal information from children under the age of 13 unless express consent is obtained from the child's parents. The company was then court ordered to adhere to certain measures in compliance with COPPA.

Since that time, TikTok allegedly has continued to allow children to create TikTok accounts as well as content on the platform, and has collected and retained personal information from these accounts without notifying the children's parents or obtaining consent, according to the Department of Justice (DoJ) and FTC. They also said that the company has failed to honor deletion requests from parents of those underage profiles.

"TikTok knowingly and repeatedly violated kids' privacy, threatening the safety of millions of children across the country," said FTC chair Lina Khan in a DoJ announcement. "The FTC will continue to use the full scope of its authorities to protect children online — especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data."

**About the Author**

FTC Slams TikTok With Lawsuit After Continued COPPA Violations

The enterprise resource planning platform bug CVE-2024-38856 has a vulnerability-severity score of 9.8 out of 10 on the CVSS scale and offers a wide avenue into enterprise applications for cyberattackers.

Brian Jackson via Alamy Stock Photo

A critical pre-authentication remote code execution (RCE) security vulnerability in Apache OFBiz could open organizations to data theft, lateral movement by threat actors into various applications and parts of their networks, and more.

The bug, tracked as CVE-2024-38856, carries a notably high CVSS score of 9.8, given how impactful exploitation could be. Apache OFBiz is an open source enterprise resource planning (ERP) system that has highly privileged access to various business processes for the purpose of single-pane management and automation; these can include accounting, human resources, customer relationship management, order management, manufacturing and e-commerce.

CVE-2024-38856 exists in the override view functionality, and can allow threat actors to access critical endpoints using a crafted request, according to the SonicWall Capture Labs threat research team, which discovered the vulnerability and shared its details with Dark Reading.

To protect their organizations, admins should upgrade their implementations to version 18.12.15 or newer.

OFBiz customers number around 170 and include some heavy hitters, such as Atlassian JIRA, Home Depot, United Airlines, and Upwork Global, according to SonicWall.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Critical Apache OFBiz Vulnerability Allows Preauth RCE

The APT used DNS poisoning to install the Macma backdoor on targeted networks and then deliver malware to steal data via post-exploitation activity.

Source: Pawel Opaska via Alamy Stock Photo

Researchers have found that a China-linked advanced persistent threat (APT) group compromised an Internet service provider (ISP) to exploit software vendor update mechanisms using DNS poisoning. The attacks delivered new variants of the Macma backdoor, as well as post-exploitation malware to exfiltrate sensitive data from compromised networks.

Researchers at Volexity discovered the attack by Evasive Panda, a threat group they track as StormBamboo and that also goes by DaggerFly, when they detected multiple systems becoming infected with malware in mid-2023, they revealed in a recent blog post. The researchers eventually tracked the attacks to the highly active Chinese APT, which they found altering DNS query responses for specific domains tied to automatic software update channels for software vendors, they said.

"StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers," Volexity researchers Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster wrote in the post. "Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to Macma and Pocostick (aka MGBot)."

Macma is a backdoor that's often used by Evasive Panda and was first detailed by Google TAG in 2021, though it was used for a number of years before discovery. The latest variant demonstrates the group converging development of both Macma and Gimmick MacOS malware, according to Volexity. The researchers also detected post-exploitation activity to deploy the malicious browser extension Reloadext to exfiltrate victim mail data, they said.

**Poisoning DNS Requests**

Volexity outlined one of several incidents that researchers investigated in which Evasive Panda used DNS poisoning to deliver malware via an HTTP automatic update mechanism. The attack poisoned responses for legitimate hostnames that were then used as second-stage command-and-control (C2) servers, the researchers said.

DNS poisoning is a type of DNS abuse in which an attacker poisons DNS records to reroute network communications to a server under their control to steal and manipulate information transmitted to users. In this case, the APT used the poisoned DNS records to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130.107, which was at the ISP level of the targeted organization.

The logic behind the abuse of automatic updates is the same for all the applications targeted, the researchers noted. The legitimate application performs an HTTP request to retrieve a text-based file containing the latest application version and a link to the installer.

"Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer," the researchers wrote.

In the attacks, the APT targeted multiple software vendors with "insecure update workflows" that use varying levels of complexity in their steps for pushing malware. For example, one of the vendors, 5Kplayer, uses a workflow, the binary of which automatically checks if a new version of YoutubeDL is available for each time the application is started.

If a new version is available, the process downloads it from the specified URL, and then the legitimate app executes it. In its attack, Evasive Panda used DNS poisoning to host a modified config file indicating a new update was available, which resulted in the YoutubeDL software downloading an upgrade package from the APT's server that had already been backdoored with malicious code.

**Beware: "Highly Skilled" APT at Work**

Volexity notified and worked with the ISP whose network was being used for DNS poisoning. The ISP investigated and took various network components offline, which stopped the malicious activity, the researchers said.

"During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased," they wrote.

The attacks are not the first time Evasive Panda, which often targets organizations across Asia that are interested in the Chinese state, has leveraged legit software update channels for nefarious purposes.

In April of last year, researchers from ESET discovered cyberespionage attacks in which the group targeted individuals in China and Nigeria by hijacking update channels for software developed by Chinese companies to deliver the MGBot malware to steal credentials and data.

Indeed, the group is "a highly skilled and aggressive threat actor" that often "compromises third parties to breach intended targets," the researchers warned.

"The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances," they wrote.

The attacks also are related to previous research by ESET concerning the infection vector for the Pocostick malware that also used DNS poisoning to abuse automatic updates, as well as one used by a related APT DriftingBamboo following zero-day exploitation of Sophos firewalls, the researchers noted.

Volexity included a link to various rules and indicators of compromise (IOCs) in its post to help organizations detect if they have been affected by the malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

China's Evasive Panda Attacks ISP to Send Malicious Software Updates

Cybersecurity startup Knostic, a finalist in this year's Black Hat USA Startup Spotlight competition, adds guardrails to how AI uses enterprise data to ensure sensitive data doesn't get leaked.

Source: Deemerwha Studio via Shutterstock

The intense popularity of public generative artificial intelligence (GenAI) tools over the past two years has resulted in many applications rolling out new chat capabilities and other features driven by large language models (LLMs). However, many organizations are learning that connecting LLMs to their internal knowledge repositories is a risky endeavor.

"Business leaders are surprised when the search tools provide anyone \[with\] answers to sensitive questions, such as, 'What are people's salaries?' and 'What are the most recent M&A due diligence results?'" says Sounil Yu, co-founder and CTO of Knostic. Even if the permissions and access controls are set correctly on the files containing sensitive data, the inferences made by the LLM can also lead to oversharing.

AI without controls potentially exposes the organization to increased risk, primarily by exposing information to the wrong people, said Gadi Evron, co-founder and CEO of Knostic, in an April interview with Dark Reading.

"How can we curate personalized information and actually give you value — answer with what you need to know instead of just saying stuff?" Evron said.

Knostic says it is the only company defining per-user need-to-know and creating a knowledge control layer.

"Most companies are focused on addressing the oversharing problem solely through data scanning/permissions and information classification," Yu notes.

Knostic's technology provides organizations with visibility, control, and curation. For visibility, the platform continuously queries the GenAI tool (currently Microsoft's Copilot) on various sensitive topics from the perspective of different users and roles to identify unexpected exposures. For control, Knostic's technology captures and displays permissions for content and gives users the ability to modify those permissions. Just because a user can access the data file doesn't mean the user is supposed to know its contents, Yu says.

"By correcting the permissions of sensitive content, we can prevent oversharing through Copilot," Yu says.

Access should not be binary — either yes or no — so the technology gives security teams the ability to curate search query answers to fit the user's need-to-know level.

The company started by focusing on Copilot for M365. Looking ahead, the company is working on solving the need-to-know problem for tools beyond Copilot and Glean for all software-as-a-service tools that incorporate LLMs as a feature.

**Startup Spotlight Finalist**

Evron and Yu originally planned to call the company Knowalls, a play on words that could mean "no walls," "know walls," and "knows all," but decided against it because of the negative connotation around "know-it-alls." The word Knostic is based on the Greek word gnostic, meaning relating to knowledge, which fits with what they were building, Yu says.

The four finalists in this year's Black Hat Startup Spotlight competition — DryRun Security, Knostic, LeakSignal, and RAD Security — will present their business models to a panel of judges during the Black Hat USA Conference in Las Vegas on Tuesday, Aug. 6. The judges for this year’s competition are Ketaki Borade (senior analyst, Omdia), Coleen Coolidge (CISO adviser, SF Info Security), Trey Ford (CISO adviser), Hollie Hennessy (senior analyst, Omdia), Maria Markstedter (founder and CEO, Azeria Labs), Lucas Nelson (founding partner, Lytical Ventures), Robert J Stratton III (venture partner, NextGen Venture Partners), and Rik Turner (principal analyst, Omdia). The "Shark Tank"-style competition involves each finalist making a presentation and then answering questions from the panel.

Finalists have the opportunity to demonstrate their technology on the show floor at Black Hat. Visitors to Knostic's booth will be able to see how the solution "provides visibility into what is being overshared, capture need-to-know, and control and curate access to knowledge based on a user’s need-to-know," Yu says.

**Startup Brief**

If the company were a band, what would its band name be?

Guardians of Gnosis (thrash metal).

If your company had a mascot, what would the mascot look like?

A barn owl, because an owl is known for its knowledge and wisdom.

Startup Spotlight: Knostic Tackles AI's Oversharing Problem

Cybersecurity startup LeakSignal, a finalist in this year's Black Hat USA Startup Spotlight competition, helps organizations see where data is leaking within their environments.

Source: Rico Ploeg via Alamy Stock Photo

Data leakage is a big problem for organizations. While there are many ways to protect data when it is "at rest," it is much harder to know where the data is going, who is accessing it, and how much has already been accessed. LeakSignal is an openly distributed data governance solution that classifies and protects sensitive data.

Customers can block sensitive data before it is logged, observe and redact it during calls to outbound third-party application programming interfaces (APIs), and observe and set limits on internal API data access.

"We are bringing a new observability metric to the world, allowing organizations to understand and govern the data flowing within their environment," says Wesley Hales, co-founder and CEO.

The platform is designed to seamlessly integrate with an organization's existing architecture, he says.

"We don't require an additional container, \[virtual machine\], or traffic routing," Hales says, noting that there is no disruption to existing traffic.

LeakSignal offers data flow governance focusing on real-time, in-transit data classification.

"Unlike traditional data loss prevention tools or perimeter-based security measures, LeakSignal operates within individual services across modern service mesh, microservices, and bespoke internal environments," Hales adds.

LeakSignal relies on natural language processing techniques to classify and manage data in-transit, he says. It is built with Rust, providing flexible deployment options within modern and existing architectures.

"LeakSignal supports many deployment options leveraging WASM, native proxy filters, and pcap that can be easily deployed within existing infrastructures, such as service meshes, serverless, and GenAI workloads," Hales says.

The LeakSignal team recently published the company's data flow governance approach with National Institute of Standards and Technology and is currently working with Payment Card Industry special interest groups to make data in-transit classifications simple for every regulated environment, Hales says.

"Our next focus is on expanding support for more complex AI models and refining our data classification algorithms to provide even more accurate and comprehensive protection," he explains.

**Startup Spotlight Finalist**

The co-founders chose the name LeakSignal to reflect its core mission: to identify and signal data leaks in real time, providing organizations with the visibility they need to protect sensitive information. The "signal" emphasizes the team's focus on proactive monitoring and alerting, ensuring data issues are detected and addressed before they become significant problems, Hales says.

The four finalists in this year's Black Hat Startup Spotlight competition — DryRun Security, Knostic, LeakSignal, and RAD Security — will present their business models to a panel of judges during the Black Hat USA Conference in Las Vegas on Tuesday, Aug. 6. The judges for this year’s competition are Ketaki Borade (senior analyst, Omdia), Coleen Coolidge (CISO adviser, SF Info Security), Trey Ford (CISO adviser), Hollie Hennessy (senior analyst, Omdia), Maria Markstedter (founder and CEO, Azeria Labs), Lucas Nelson (founding partner, Lytical Ventures), Robert J Stratton III (venture partner, NextGen Venture Partners), and Rik Turner (principal analyst, Omdia). The "Shark Tank"-style competition involves each finalist making a presentation and then answering questions from the panel.

Finalists have the opportunity to demonstrate their technology on the show floor at Black Hat. Visitors to LeakSignal's booth will be able to see demonstrations of the platform as well as case studies with existing customers. They will see how easy it is to deploy LeakSignal within various environments and understand its impact on data security and compliance, says Hales. (Fun fact: Hales says next year's booth will be modeled after a post-apocalyptic diner.)

**Startup Brief**

If the company were a band, what would its band name be?

Packet Frenzy. (A chaotic blend of aggressive riffs and complex rhythms mirroring the fast-paced and unpredictable nature of data flows.) "Packet Frenzy thrives on dissonance and mathematical precision, just like LeakSignal's approach to detecting data anomalies," Hales says.

If your company had a mascot, what would the mascot look like?

A person dressed in a HAZMAT suit (for nuclear waste incidents and cleanup), carrying a Geiger counter that detects if a given individual is leaking personal data.

Startup Spotlight: LeakSignal Helps Plug Leaky Data in Organizations

Adopting a military mindset toward cybersecurity means the industry moves beyond the current network protection strategies and toward a data-centric security approach.

Source: ber1a via Alamy Stock Vector

COMMENTARY

Cybercriminals, terrorists, and nation-states are now striking at commercial entities in ways that can kill and injure people or cause physical destruction. A recent attack on Ascension Healthcare Network forced hospitals to divert patients, reschedule appointments, and resort to manual systems, which could have resulted in serious harm to patients. In 2023, two suspects were arrested for conspiring to attack Baltimore's power grid. The potential harm of such an attack has the US government scrambling to improve security.

In addition to the increased "physical" seriousness of these attacks, company executives can now be held legally responsible for them. In 2022, a federal jury found former Uber CSO Joseph Sullivan guilty of obstruction for actions following the company's breach. In 2023, the Securities and Exchange Commission announced charges against SolarWinds chief information security officer (CISO) Timothy Brown in a similar case (many of which were later thrown out). And earlier this year, Microsoft announced that it will “hold senior leadership directly accountable for cybersecurity.”

We historically have distinguished between attacks on business data — financially motivated incidents that threaten an organization's bottom line in the form of fines, loss of intellectual property, and reputational damage — and state-sponsored attacks on military secrets that have the potential to kill and injure people or undermine the operation of the government. Unfortunately, recent events have blurred the line between physical and cybersecurity, forcing businesses to raise the priority of protecting sensitive data, similar to the military.

**The Military Mindset**

In the military, protecting sensitive information has always been paramount, and the industry prioritizes whatever systems it needs for protection, including multiple layers of physical and digital security. The information simply can't be compromised.

By contrast, businesses are more likely to do a cost-benefit analysis, weighing the costs of securing data against the costs of recovering from the damage. As a result, the industry has never built a data-centric security stack, instead preferring a network-based security approach focused on keeping the bad guys out and responding quickly to contain breaches. However, if an attacker breaches the network security layer, sensitive data is quickly exfiltrated and exposed before most organizations can respond to contain the incident.

In order to safeguard their employees and business interests, organizations need to change their mindset to protect sensitive data with the same intensity as the armed forces, intelligence community, and defense industry.

**Principles of a New Data Protection Strategy**

1\. Principle of least privilege (PoLP)

The principle of least privilege in the military and intelligence community mandates that individuals have access only to the information and resources necessary for their specific duties. This minimizes the risk of unauthorized access, data breaches, and espionage by limiting exposure to sensitive information, which thereby enhances overall security and operational integrity.

Similarly, business systems should provide only the right data to the right people at the right time. Recent privacy laws have forced many organizations to begin implementing this capability, but most organizations are a long way from building least privilege into the very fabric of their data infrastructure. Implementing strong data security requires understanding the context of the users' role and duties found in identity access management (IAM) infrastructures, understanding privacy compliance requirements, and having the ability to automatically identify and secure sensitive information in real-time across on-premises infrastructure, public cloud, software-as-a-service (SaaS) applications, and the organization's supply chain. 

2\. Never trust a third party with data

Data must stay where the company can control and protect it. Attackers go after the weakest link in the data supply chain, and this increasingly means people outside the organization, including children, and third-party data platforms, as with SolarWinds. Companies also lose control of data when it's stored on a vendor's cloud data platform where the vendor's security failures put the data at risk. Thus, companies must ensure that vendors who become part of their data ecosystem do not store it, see it, or otherwise have access to it. This can be accomplished by redacting, masking, tokenizing, or encrypting sensitive data automatically as it leaves the control of the organization.

3\. Identify threats in real-time

Too often, businesses have settled for security architecture centered on detection and response with poor response times. According to the 2023 IBM Security "Cost of a Data Breach Report," the mean time to identify (MTTI) and contain (MTTC) a breach is 277 days. When extensive AI and automation were used for incident response, it still took 214 days to identify and contain breaches. In order to prevent data breaches from resulting in the loss of personally identifiable information (PII), we must shift the focus from reactive containment measures that are not working to proactive data security measures that leverage AI to identify and protect sensitive data in real-time as it flows through the organization and block attempts by unauthorized users to access, steal, or manipulate business-critical information.

4\. Never undermine productivity

An impediment to increased security has long been that added security makes processes slower and inhibits legitimate access to data, frustrating users, constraining collaboration, undermining customer experiences, and stifling innovation. To encourage adoption and use, data security solutions must protect data without delaying operations. Otherwise, users will find a way around it.

5\. Make it fast and easy to deploy

Whatever solutions the industry devises, companies must be able to implement them quickly with little disruption to existing workflows. Otherwise, at best, risks could increase during the implementation process. At worst, the solutions won't be implemented at all or will leave critical gaps in the organization's defenses.

**A Call to Arms**

In practical terms, adopting a military mindset toward cybersecurity means organizations must immediately begin demanding that the industry moves beyond the current network protection strategies and toward a data-centric security approach that proactively secures data in real-time. These actions include:

*   Make data protection a topic at board meetings and throughout the organization.
    
*   Ask every vendor about their approach to protecting data, not just the network.
    
*   Ensure every data supply chain partner is working to adopt the above data protection principles.
    
*   Encourage industry regulators to make these principles a key focus.
    
*   Put pressure on the government to require agencies to adopt these principles.
    

These strategies are crucial for moving toward a data-centric security approach that effectively safeguards organizations against evolving cyber threats.

**About the Authors**

Founder & CEO, Dymium

Denzil Wessels is the founder and CEO of Dymium. He’s an established technology leader and an emerging pioneer who is focused on building new technologies and products that solve networking and security challenges.

He is passionate about identifying and solving difficult enterprise business problems in new and unique ways that did not exist in the industry before.

Using this approach, he is able to help build new business, business groups, and successfully transform existing companies looking to grow. His lineage includes companies like Zscaler, Aruba Networks (HPE), Juniper, and F5 Networks.

COO, Dymium

Glenn Ignazio is the COO of Dymium and a retired Air Force Special Operations commander and national security expert. He is best known for his experience translating complex technology into military and intelligence operations that position solutions into commercial, defense, and government organizations. A sought-after national security expert, he's advised defense agencies globally, including the US Assistant Secretary of Defense and UAE Royal Family. Beyond his 22-year military service, Glenn’s impact extends to solution architecture, business development, executive, and operations roles. He holds an executive MBA and has earned recognition for combat operations.

Source

DARKReading