Themed "The Art of Possible," this year's conference celebrates new challenges and opportunities in the age of AI.

Liat Hayun, Co-Founder & CEO, Eureka Security

April 30, 2024

3 Min Read

Source: Aleksandr Matveev via Alamy Stock Photo

COMMENTARY

This year's RSA Conference theme, "The Art of Possible," celebrates the challenges brought about by new frontiers, broken boundaries, and promising horizons. While the shift to the cloud initially caused concern and hesitation, as data began moving through it, across environments and with very little oversight, data security professionals knew this profound shift in the modern business model would bring about not only challenges but also opportunities. As we enter the age of AI, the security community must embrace the possibilities of improved data security mechanisms, alongside — without obstructing — improved business processes. Looking ahead to this year's RSA Conference, here are six leading data security sessions we're excited to attend — and that will help us uncover AI's risks and opportunities.

**My Top Six Picks****Operational Data Governance-by-Design Techniques for a Data Practitioner**

Monday, May 6

Why you should attend: This session, led by Cisco Systems, seems like a unique opportunity to discover practical tools for implementing data governance across your organization while presenting various use cases, with attention given to all aspects of data use and management. Assess your level of data governance by engaging with other data practitioners in the audience in this live discussion.

**Bridging Theory and Practice of Privacy and Data Protection**

Monday, May 6

Why you should attend: The more data floods the industry, the more practical tools security practitioners need to ensure that privacy and data protection concerns are addressed across their organizational environments. This session will include practical examples of integrating data security and privacy guardrails and measures in real business environments, sourced from the audience.

**ChatGPT Unleashed: Solving Data Breach Puzzles With Precision**

Monday, May 6

Why you should attend: A data security challenge leveraging AI? Sign us up! This unique session challenges participants to use ChatGPT prompts to mitigate a looming data breach, with hidden malware waiting to be found and fixed. Beyond a fun experience, this session will expand the knowledge of what may be possible with the next generation of AI technology and lead us through an innovative learning experience.

**Controlling a Data Footprint — How to Build a Data Disposition Framework**

Monday, May 6

Why you should attend: Data is a goldmine for organizations, and they're constantly innovating in how they gather and leverage it to achieve business goals. This session will equip you with a step-by-step approach to building a data lifecycle management framework. This framework will empower companies to decide how long to hold onto data, and outline methods for safeguarding, transforming, or eliminating data to comply with regulations.

**Establishing a Data Perimeter on AWS**

Wednesday, May 8

Why you should attend: While it may seem like there are no boundaries in the cloud era to where data can reside, be stored, and be used, data security guardrails and mechanisms exist for this purpose exactly — to let data roam free for business use, while ensuring that security controls are set in place and visibility is maintained across all environments, at all times. This session will present some of the controls used by AWS to protect data from unauthorized access.

**Data Heist: How Stolen Information Becomes a Hot Commodity**

Thursday, May 9

Why you should attend: We're so busy preventing breaches that we don't often take the time to consider what malicious actors do with the data they steal after the crime. This session dives deeper, exploring the clandestine marketplaces where stolen information is peddled. You'll be exposed to the inner workings of these criminal data shops, with comprehensive risk assessments comparing the vulnerabilities of various data types and how to best protect them.

**Final Thoughts**

While data security has been a top-of-mind business and security concern for the past decade, the ever-evolving landscape of data innovation constantly introduces new and emerging threats for security practitioners. To stay ahead of the curve, cybersecurity professionals must remain vigilant and adapt their strategies accordingly. The upcoming RSA Conference provides a phenomenal platform to achieve just that, with a wide range of sessions on the latest data security trends and solutions. Hope to see you there!

**About the Author(s)**

Co-Founder & CEO, Eureka Security

Liat Hayun is the Co-founder and CEO of Eureka Security, a Cloud Data Security Posture Management platform that enables security teams to successfully navigate the ongoing and often chaotic expansion and growth of cloud data. Prior to co-founding Eureka Security, Liat spent a decade leading cybersecurity efforts in the Israeli Cyber Command and Palo Alto Networks. Her IDF service merited the prestigious Israel Defense Prize. As VP of Product Management at PANW, Liat led the production of Cortex XDR and PANW’s Managed Threat Hunting service. These roles have enabled Liat to pursue her greatest interests and concerns in the cybersecurity threat landscape, as well work with wonderfully talented people on their solutions. Passionate about working closely with others, she is driven to identify meaningful operational security gaps and develop exciting new technologies and strategies to help fellow security leaders tackle them.

The 6 Data Security Sessions You Shouldn't Miss at RSAC 2024

President Joe Biden has updated the directives to protect US critical infrastructure against major threats, from cyberattacks to terrorism to climate change.

The Biden administration is updating the US government’s blueprint for protecting the country’s most important infrastructure from hackers, terrorists, and natural disasters.

On Tuesday, President Joe Biden signed a national security memorandum overhauling a 2013 directive that lays out how agencies work together, with private companies, and with state and local governments to improve the security of hospitals, power plants, water facilities, schools, and other critical infrastructure.

Biden’s memo, which is full of updates to the Obama-era directive and new assignments for federal agencies, arrives as the US confronts an array of serious threats to the computer systems and industrial equipment undergirding daily life. In addition to foreign government hackers and cyber criminals seeking to destabilize American society by crippling vital infrastructure, extremist groups and lone actors have plotted to sabotage these systems, and climate change is fueling natural disasters that regularly overwhelm basic services.

But foreign cyber threats loom largest as a danger in the near future. “America faces an era of strategic competition, where state actors will continue to target American critical infrastructure and tolerate or enable malicious activity conducted by nonstate actors,” Caitlin Durkovich, the deputy homeland security adviser for resilience and response, told reporters during a briefing on Monday.

The memorandum has three core purposes: to formalize the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency tasked with protecting infrastructure from bad actors and natural hazards; to improve partnerships with the private sector through faster, more comprehensive information sharing; and to lay out the groundwork for minimum cybersecurity requirements for sectors that currently lack them.

The regulatory push represents a dramatic shift from the government’s approach to infrastructure protection a decade ago. The Biden administration, having concluded that voluntary partnerships were not sufficiently reducing risks to essential services, has applied new cyber rules to the aviation, pipeline, railroad, maritime, and medical device industries, and the Department of Health and Human Services is working on security requirements for hospitals. Now, the administration plans to use the new memo to turbocharge efforts to apply rules to other sectors.

“It is important that we work together to set baseline security standards for the lifeline sectors on which the American way of life and our democracy depends,” Durkovich says.

The document tasks the government’s “Sector Risk Management Agencies,” or SRMAs—each of which oversees and assists one or more infrastructure sectors with cyber and physical security—with determining whether existing rules adequately address their industries’ vulnerabilities and, if not, crafting new rules. The memo includes a process to help agencies if they conclude that they lack “the tools or authorities necessary to ensure effective implementation of those requirements,” a senior administration official said during Monday’s briefing, speaking anonymously pursuant to the White House’s terms.

That process is designed to support agencies like the Environmental Protection Agency, which tried to issue cyber requirements for water systems in 2023 but abandoned the effort after a legal challenge from industry groups and Republican-led states.

Anticipating further industry pushback to new rules in various sectors, the White House is promising to collaborate with companies. “These requirements … need to be developed in close coordination with the owners and operators of that infrastructure to ensure they are appropriate and proportionate to the vulnerability,” the senior administration official says.

In addition to new cyber standards, the memo attempts to kickstart more harmonious and productive information-sharing relationships between government agencies and private companies. The private sector often complains that agencies either declassify information too slowly or keep it tightly restricted to only executives with security clearances. Many companies say that without timely access to the government’s detailed intelligence about hackers’ activities, it is difficult to stay ahead of those adversaries.

To address these tensions, Biden is directing US spy agencies to redouble their efforts to “collect, produce, and share intelligence” with infrastructure operators, Durkovich says.

The memo requires the Office of the Director of National Intelligence (ODNI) to produce a report on the state of the government’s information-sharing with the private sector. As part of that process, the senior administration official says, ODNI will work with CISA and other agencies to write procedures for better outreach to companies.

The government can look to two recent case studies for insights about the best ways to share useful information without jeopardizing the sensitive sources and methods used to gather it. As Russia began its expanded invasion of Ukraine in 2022, the intelligence community declassified and published intelligence about the Kremlin’s plans at such a rapid tempo that it stunned many former officials. And when officials wanted to warn companies about the seriousness of China’s recent cyber intrusions into US infrastructure, they convened classified briefings that starkly laid out the potential damage Beijing could do in the event of a war.

“We have a lot of instructive emerging practices and lessons learned from what has happened in the first three years of this administration,” says the senior official.

In addition to the report on information sharing, the memo also gives ODNI 180 days to produce a formal intelligence assessment on threats to America’s infrastructure, and the senior official says the government “will work to share that” with companies to the extent possible.

Beyond its major substantive changes, the new memo significantly boosts the stature of CISA, which did not exist when the previous plan was written. The memo codifies CISA’s twin roles as a government-wide coordinator for infrastructure security work and as the designated SRMA for eight of the 16 sectors.

CISA has pursued its role as the lead infrastructure protection agency in multiple ways, its director, Jen Easterly, told reporters during Monday’s briefing.

First, CISA reestablished a council of senior officials that makes major decisions about how agencies coordinate to address risks. Second, Easterly says, CISA has provided agencies with “guidance and templates” to help produce risk assessments and risk management plans for each of their sectors. Third, CISA is finalizing a list of “systemically important entities” whose operations power daily life in fundamental ways.

The government will work with the companies on the important-entities list—there are fewer than 500 of them—“to ensure they have the resources necessary to manage risk,” a second senior administration official told reporters on Monday. Those companies will also be priorities for regulation.

While it updates key parts of the government’s defensive playbook, the memo does not change the basic structure underpinning this work: the 16 sectors—each containing a collection of related industries—that together comprise the nation’s critical infrastructure. A CISA report published in late 2021 recommended that the administration consider adding new sectors for the space and bioeconomy industries, but officials decided not to do so.

“Because space is really a part of so many different sectors, it did not, at this time, make sense to break space out as a separate sector,” the second senior official says. (CISA is, however, focused on space cybersecurity.) Government leaders similarly decided that bioeconomy risks were not unique enough to merit a new sector. But both industries could receive their own sectors in the future “if there are significant changes” to the risks they face, says the second official.

In light of how quickly those risks and other conditions could change, the memo directs DHS to submit a “national risk management plan” to the White House every two years summarizing what the government is doing to prevent harm.

Biden administration officials see the new document as more than just an updated strategy. To them, it is a watershed moment in how the government organizes itself to protect Americans from poisoned water, widespread blackouts, and other infrastructure disasters.

The new memo, Durkovich says, “prepares us for the next decade—what the president calls the decisive decade—and what lies out on the horizon.”

The White House Has a New Master Plan to Stop Worst-Case Scenarios

March 29, 2024 is a day that will hardly be forgotten by the open source community: Andres Freund disclosed his findings about the compromise in the xz compression library, which would enable an attacker to silently gain access to a targeted affected system. How did that coordination work under the hood? In this article we will give a behind the scenes glimpse into what this looked like at Red Hat.DiscoveryOn Wednesday, March 27, Andres contacted the Debian security team via their contact email (security@debian.org) and let them know about the oddities he found in a SSH slowdown when using a n

March 29, 2024 is a day that will hardly be forgotten by the open source community: Andres Freund disclosed his findings about the compromise in the xz compression library, which would enable an attacker to silently gain access to a targeted affected system. How did that coordination work under the hood? In this article we will give a behind the scenes glimpse into what this looked like at Red Hat.

****Discovery****

On Wednesday, March 27, Andres contacted the Debian security team via their contact email (security@debian.org) and let them know about the oddities he found in a SSH slowdown when using a new XZ library that was shipped by Debian.

The Debian security team relayed this information to the Red Hat Information Security (InfoSec) team. Our InfoSec team is responsible for protecting our network perimeter and company assets.

****Understanding the threat****

InfoSec involved Red Hat’s Product Security (ProdSec) department, the ones in charge of securing the software that we provide to our customers and community. Then, this global multidisciplinary team containing many of our finest developers, PenTesters, offensive analysts, managers, directors and program managers started the then confidential efforts to properly establish, understand and assess the findings from Andres.

After establishing the gravity of the situation, InfoSec and ProdSec engaged their Incident Response Plans (IRP), sharing a more complete view of this embargoed incident to help further understand how it works and assess any potential compromise to our products, both upstream and especially in Red Hat Enterprise Linux (RHEL), as well Red Hat internal assets.

At this stage, there were two major fronts: The most urgent was to determine to what extent, if any, the malware had infiltrated our products. The second was to analyze the malicious nature of the package and better understand its cleverly concealed malicious payloads.

****Securing the fort****

Our next step was establishing the affectedness of our systems, as this presented a number of concerns: Were build systems compromised? Were any other external or internal systems affected? Was there any data exfiltration? If so, was a footprint left behind?

Over the course of the investigation, we found that this is a kind of dormant malware targeting a very specific set of systems: Specifically the x86\_64 architecture, requiring both systemd and sshd. It was not targeting BSDs, Android cell phones, wi-fi routers, IoT devices, Raspberry Pis, or anything else. Essentially, it had to be a standard Linux server.

Querying VirusTotal for the rogue .o object file hash returned no results, so it was indeed something not widely known prior to Andres’ finding.

At this point, we established that this had not affected RHEL and Fedora stable branches. While no Fedora stable builds were affected, Fedora 40 beta nightly builds, the leading edge of Linux innovation, were affected.

The collaboration kept moving swiftly throughout Thursday afternoon (in US time zones), with our InfoSec team delivering the first YARA rules, ProdSec evaluating the Vulnerability Management aspects (which version affects what), and the ProdSec Supply Chain team verifying if our productization pipeline was sound and not using affected versions.

Early Thursday morning, Red Hat and IBM executives were briefed about this incident and given a complete picture of what was known so far.

****Multi-vendor collaboration****

At this stage, distro-lists at Openwall were beginning to see some traffic, but due to the limited reach of this community, we engaged the US Cybersecurity and Infrastructure Security Agency (CISA) to start a collaborative Vulnerability Information and Coordination Environment (VINCE) ticket. This enabled other vendors not participating in distro-lists, as well as the vulnerability discoverer by Andres Freund, to be engaged continuously.

Collaboration continued to flow with the ticket creation, moving around the clock through 48 participating entities: BSDs, proprietary software vendors, national Security Response teams and the heavyweights of the hardware and software landscape were working together to advance and level the field on the findings, investigation progress, other products’ affectedness and more, all done at speed to make the issue public as soon as possible.

****To CVE or not to CVE****

Historically, malware has been categorically and intentionally omitted from the CVE ecosystem. They are typically beyond the control of the vendors who provide software. However, in this case it was embedded into the vendor code, there was a vulnerable condition and relying on antivirus software to detect the existence of this malicious software can leave room for detection failure.

During the discussion with other CVE Numbering Authorities (CNAs), we erred on the side of caution. This is a condition that:

*   Has to be looked for and detected
*   Compromises confidentiality, integrity, and availability
*   Is described by an existing CWE type
*   Is a type of compromise that has a precedent of assigned CVEs
*   Affects a very specific name-version-release (NVR)
*   Is a high profile issue that needs the CVE ID as an industry-wide common identifier

That said, as a CNA, we decided to assign a CVE for this vulnerability: CVE-2024-3094.

****Good Friday****

On Friday, all the ducks (and there were a lot of them) were lined up and while this probably ruined a fair number of holidays, the participants in the VINCE ticket, including the finder, agreed to bring this to the public as soon as possible. As soon as Andres’ post went live in OSS-Security, CISA alerted the general public and Red Hat published a post as well. We had our Communications team fully engaged, informed and ready for the inquiries. Minutes after disclosure in OSS-Security, we started receiving inquiries from major news outlets asking for more information.

The impacted distros immediately pulled back the affected libraries and prepared statements to their user bases.

It was good (no pun intended) that in the end, this attack only affected a very limited set of worldwide systems in a small number of leading-edge distributions, including Fedora, and there was no evidence of further tampering or manipulation in affected systems.

To err on the side of safety, all Red Hat assets that were running the affected Fedora versions were deemed as tainted and were required to be reinstalled or redone.

Although this event had the potential to really hurt the open source community, at the end of the day, it actually displayed its strength. Multiple people, organizations and contributors worked together to stop a very real threat. The imminent incident has been stopped and remediated, but the work is not done. Many lessons have been learned around the world from this event, and I think it is fair to say that the open source community will implement improvements to minimize future risks with our distributions.

Understanding Red Hat’s response to the XZ security incident

The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers -- including AT&T, Sprint, T-Mobile and Verizon -- for illegally sharing access to customers' location information without consent.

The **U.S. Federal Communications Commission** (FCC) today levied fines totaling nearly $200 million against the four major carriers — including **AT&T**, **Sprint**, **T-Mobile** and **Verizon** — for illegally sharing access to customers’ location information without consent.

The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.

The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.

“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”

The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.

The commission said it took action after **Sen. Ron Wyden** (D-Ore.) sent a letter to the FCC detailing how a company called **Securus Technologies** had been selling location data on customers of virtually any major mobile provider to law enforcement officials.

That same month, KrebsOnSecurity broke the news that **LocationSmart** — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

The carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.

Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.

“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.

The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.

The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.

**Update, 6:25 p.m. ET:** Clarified that the FCC launched its investigation at the request of Sen. Wyden.

FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data

PRESS RELEASE

SAN DIEGO, April 29, 2024/PRNewswire/ -- ESET, a global leader in cybersecurity solutions, today announced the launch of two new Managed Detection and Response (MDR) subscription tiers: ESET PROTECT MDR for small and medium businesses (SMBs) and ESET PROTECT MDR Ultimate for enterprises. These offerings are built on the foundation of ESET PROTECT Elite and ESET PROTECT Enterprise, offering businesses of all sizes the most comprehensive, AI-powered threat detection and response capabilities, in combination with expert human analysis and comprehensive threat intelligence.

ESET's MDR offerings are designed to cater to the specific needs of both SMBs and Enterprises. To that end, ESET PROTECT MDR delivers a comprehensive cybersecurity package, offering 24/7/365 superior protection that addresses the most common challenges of small and medium-sized businesses. This includes modern protection for endpoints, email, and cloud applications, vulnerability detection and patching, and managed threat monitoring, hunting, and response. It addresses the cybersecurity talent shortages and ensures compliance with cyber insurance and regulations, offering a remarkable 20-minute average time to detect and respond, a comprehensive MDR dedicated dashboard and regular reporting for complete peace of mind.

For enterprises, ESET PROTECT MDR Ultimate offers continuous proactive protection and enhanced visibility, coupled with customized threat hunting and remote digital forensic incident response assistance. This comprehensive service is designed to support overstretched SOC teams, providing them with 24/7 access to world-class cybersecurity expertise. It ensures enterprises stay one step ahead of all known and emerging threats, effectively closing the cybersecurity skills gap, and facilitating expert consultations for incident management and containment in a fully managed experience.

ESET also sets itself apart with its own telemetry and unique global coverage, leveraging its detections and ESET Research to gather unique data about attacks, a competitive edge not offered by many players in the market.

"With the update of our business offering, we want to make ESET products accessible to customers without the necessary skill set or resources to operate them, but to also empower organizations to navigate the digital landscape confidently, safeguarded by our expertise and continuous, comprehensive coverage," stated Michal Jankech, Vice President of SMB and MSP segment at ESET.

Enhancements to the ESET business portfolio

Additionally, all ESET PROTECT subscription tiers, starting from ESET PROTECT Advanced, are now enhanced with ESET Mobile Threat Defense (EMTD). This new value-added, standalone module extends attack vector coverage to an organization's entire mobile fleet, seamlessly integrating into the ESET PROTECT Platform for efficient management, ensuring comprehensive protection for mobile devices. EMTD also includes a Mobile Device Management (MDM) functionality, with added support for Microsoft Entra ID.

Moreover, ESET Server Security introduces a firewall specifically designed for Windows servers, and Vulnerability & Patch Management, offering manual patch management and a 60-second delay of application process kill.

Finally, ESET LiveGuard Advanced now also offers advanced behavioral reports for our detection and response customers, providing an in-depth look into how our cloud sandboxing technology analyzes suspicious files, offering better visibility and context for security operators like cybersecurity and threat analysts, security engineers, or threat responders.

"This significant launch underscores ESET's unwavering dedication to delivering superior protection and services, effectively responding to the dynamic challenges faced by customers to stay one step ahead of threats," added Michal Jankech, Vice President of SMB and MSP segment at ESET.

For more detailed information about ESET and its updated portfolio, please visit the dedicated offering pages for SMBs and Enterprises.

About ESET  
ESET provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyber threats — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, its AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

ESET PROTECT Portfolio Now Includes New MDR Tiers and Features

The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files.

Source: Billion Photos via Shutterstock

A high-severity vulnerability in an R programming language process could expose organizations using the popular open source language to attacks via the software supply chain.

The vulnerability, assigned CVE-2024-27322, has a CVSS vulnerability-severity score of 8.8 out of 10. It involves R's process for deserializing data, or converting objects encoded in formats such as JSON, XML, and binary, back to their original form for use in an application or program.

R is a relatively widely used language for statistical computing and graphics applications. It is popular among developers in sectors such as financial services, healthcare, research, government and in environments involving large datasets such as AI and machine learning. The Comprehensive R Archive Network (CRAN), which is the most popular R package repository, currently hosts more than 20,000 packages, while R-Forge, a site that provides R package development tools, has more than 15,800 registered members and hosts some 2,146 projects.

**Deserialization Issue**

Researchers at HiddenLayer found a weakness in R's process that gives attackers a way to execute arbitrary code in a victim environment via a specially crafted R Data Serialization (RDS) file. Programmers commonly use RDS files to store or save objects in R for future use or for sharing with others.

"This vulnerability can be exploited through the loading of RDS files or R packages, which are often shared between developers and data scientists," HiddenLayer researchers Kasimir Schulz and Kieran Evans said in a report this week. "An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction," according to the report.

The maintainers of R have addressed the issue in R version 4.4.0 after HiddenLayer informed them of the issue.

**A Lazy Promise Allows Tinkering**

The vulnerability in R that HiddenLayer discovered relates to two fundamental concepts in R, called "lazy evaluation" and "promise objects." Lazy evaluation is a programming technique where an R program does not evaluate an expression or variable until actually required to, or when directly accessed. The goal is to improve performance by avoiding computations for expressions that might end up not being needed. A promise object is closely related to lazy evaluation and represents the object that has been delayed for evaluation.

What the researchers at HiddenLayer discovered was a way to create a promise object with a payload that would run code of their choice when the object was accessed during RDS file deserialization.

"R packages leverage the RDS format to save and load data," according to HiddenLayer. Two files that facilitate this process are an .rdb file that contains all the serialized objects to be included in a package, and an .rdx file that contains metadata about each of the objects.

"When a package is loaded, the metadata stored in the RDS format within the .rdx file is used to locate the objects within the .rdb file," according to the analysis. The objects within the .rdb files are then deserialized.

"An attacker can exploit this by creating an RDS file that contains a specially crafted promise object embedded with arbitrary code," Schulz tells Dark Reading. "Due to the way R implements lazy evaluation, the embedded arbitrary code will be executed once a user has loaded the malicious file or package." An attacker can relatively easily add a weaponized package to an R repository such as CRAN and simply wait for an unwary user to load that package.

**Potentially Vast Attack Surface: Multiple Infection Sources**

There are literally dozens of major hubs, such as R-Forget and Bioconductor, that R developers use to share and download packages. Not only are these hubs providing developers with access to thousands of packages, some, like Bioconductor, with more than 42 million downloads are being used regularly, Schulz says. "Someone just needs to take advantage of the vulnerability and the massive open source space for R packages to affect thousands of downstream users in a potentially massive supply chain attack," he says.

Schulz recommends that organizations move to the latest version of R to mitigate risk: "In addition, organizations should ensure that users of R are made aware of current and potential future vulnerabilities of this nature and make it policy to only use known trusted files and packages."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

R Programming Bug Exposes Orgs to Vast Supply Chain Risk

Okta warns users that the attack requests are made through an anonymizing service like Tor or various commercial proxy networks.

Source: Ahmed Zaggoudi via Alamy Stock Photo

Credential-stuffing attacks targeting online services are spiking due to the accessibility of residential proxy services, stolen credentials, and scripting tools, Okta is warning its users.

From April 19 through April 26, Okta's researchers observed an increase in credential-stuffing attacks against Okta accounts.

Moussa Diallo and Brett Winterford, researchers at Okta Security, note that all recent attacks share a common denominator: The requests are made largely through an anonymizing device such as Tor. 

In addition to this, the researchers found that millions of requests were routed through various residential proxies such as NSOCKS, Luminati, and Datalmpulse. These residential proxies are "networks of legitimate user devices that route traffic on behalf of a paid subscriber." The researchers recently have observed a significant number of mobile devices used in proxy networks where the user has a downloaded app on their device using compromised software developer kits (SDKs).

"Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network," the researchers wrote. "The net sum of this activity is that most of the traffic in these credential-stuffing attacks appear to originate from the mobile devices and browsers of everyday users."

Okta has released a capability into the Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) that blocks requests from anonymizing services. This feature can be turned on in the settings of the Okta Admin Console. Organizations that want to block access from specific anonymizers must be licensed to use Dynamic Zones, an Adaptive MFA feature.

Okta also recommends that its users shore up best-practice defense measures to prevent account takeovers from credential-stuffing attacks.

"Defense in-depth measures, such as utilizing multifactor authentication on externally available employee access portals as well as sensitive internal systems, are needed here," said Thomas Richards, principal consultant at Synopsys Software Integrity Group, in an emailed statement to Dark Reading. "Additionally, there are anomalous behavior detection systems that can identify if a user is logging in at an unusual time, physical location, or source IP address."

**About the Author(s)**

Okta: Credential-Stuffing Attacks Spike via Proxy Networks

While other professions are making up ground, cybersecurity still lags behind in female representation, thanks to a lack of respect and inclusion.

Source: Valeriy Kachaev via Alamy Stock Photo

Right now, in 2024, at least three of every four cybersecurity professionals is male.

Cybersecurity is hardly the only male-dominated industry, but even in contrast to others — like law (53%), accounting (46%), and doctors of medicine (37%) — it lags behind.

According to new research from ISC2, women make up just 20% to 25% of the cybersecurity industry. And that figure, it noted, has remained relatively consistent for some years.

It stands out even more when compared with the racial makeup of the industry. While the majority of cyber pros over the age of 40 in the US, the UK, Canada, and Ireland are white, the majority under 40 are not. ISC2 found that over the past 12 months, a full two-thirds of new entrants to the industry from those countries have been non-white.

The takeaway? Cybersecurity is fixing its diversity problem, but only halfway.

**Gender Representation in Cyber, by the Numbers**

Just 4% of ISC2 survey respondents indicated that women make up a majority of their security teams. By contrast, 11% admitted they have no women on their teams at all.

There seems to be a mild networking effect at play, too. The average woman in security works with around 8% more women (30%) on average than men do (22%).

The problem is pretty much the same across industries, as the most-diverse sectors, like cloud services, automotive, and construction (all 28% female), don't far outpace the least-diverse (military and energy, each at 20%).

There are, however, some positive trends alongside the lagging ones.

Where only around 14% or 15% of cyber pros over age 40 are women, at least 25% under age 35 are (a relative improvement).

Most interestingly, the women who do make it into the cybersecurity field tend to rise up the corporate ladder at least as high as, if not higher than, their male counterparts. Women own executive titles at a similar clip to men. A greater percentage of them possess managerial-level roles, and a lesser percentage are ranked as individual contributors. And counterintuitive though it may sound, a greater percentage of women in security are involved in the hiring process than are men (33% to 24%).

That data, however, contrasts with other recent findings.

**The Root of the Problem: Exclusion**

In its "2023 State of Inclusion Benchmark in Cybersecurity" report, Women in Cybersecurity (WiCyS) tracked the ways in which women experience exclusion in the industry. "Respect" ranked as the worst issue on its list, but just behind respect was "career and growth opportunities."

"Women are experiencing a glass ceiling at around six years," reports Lynn Dohm, executive director at WiCyS. "You could imagine the journey for a woman in cybersecurity as they're advancing in their career, not necessarily getting the stretch assignments they're anticipating, perhaps their managers aren't taking initiative and identifying the trajectory of their career within the organization, they're getting passed up for promotions and experiencing that lack of respect with microaggressions, tokenism, comments. All of that leads up to the point where an individual would likely choose to step out of the career and move into other areas."

It's a self-fulfilling cycle: Too little female representation is leading more women to steer clear of security. As Dohm puts it: "Lack of diversity in the workforce is a symptom of the lack of inclusion."

Simply hiring more women doesn't solve the problem, either, since exclusion extends far deeper than any one person or organization can account for.

"The gender gap in cybersecurity begins long before women reach the workforce," explains Jessy McDermott, partner solution architect at Aqua Security. "I know firsthand as a former engineering student that this gap existed at the college level. For example, only four other women — out of an original 15, excluding myself — completed the engineering program alongside me at UMass Dartmouth. During those four years, I experienced an ongoing prejudice and doubt and saw how women were ultimately driven out of the field before they even graduated.

"This is only exacerbated as time goes on and women begin to see that careers in information technology or cybersecurity are 'male-dominated.' If you’re somehow able to get through college without being driven out of the field, you've just started the first leg of a never-ending journey. Ultimately, this can all lead to imposter syndrome, which myself and many female friends in the industry deal with. I have days where, even now, as a cybersecurity professional with years of experience under my belt, I still get challenged to show and, more importantly, prove my knowledge to others."

So, she adds, "I love how more companies are going out of their way to hire more women into the field, but to see a difference, women need internal support to feel confident and be successful in their roles."

**Non-Diversity Consequences to Companies**

Besides the obvious consequences for people, there are also consequences for uniformity for companies.

"When retention isn't there for female talent, it costs money, because it's pulling back out recruiting dollars. And it's also a reputational risk," Dohm notes.

"Broader than cybersecurity, there's a body of research that says the more perspectives you bring to the table, the better off you will be at problem solving," says Clar Rosso, CEO of ISC2. "In cybersecurity, which is a very complex, growing threat landscape, the more perspectives that we bring to the table to solve problems, the more likely we will be able to impact our cyber defense."

Dohm puts it tersely: "It's a security risk not having the diverse perspective that women bring to the cybersecurity workforce."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cybersecurity Is Becoming More Diverse … Except by Gender

Tracking code used for keeping tabs on how members navigated through the healthcare giant's online and mobile sites was oversharing a concerning amount of information.

Source: Wirestock, Inc. via Alamy Stock Photo

Hard on the heels of a significant data theft at UnitedHealth, fellow healthcare behemoth Kaiser Permanente publicly announced a data breach affecting 13.4 million current and former insurance members.

Kaiser's systems inadvertently shared patient data with third-party advertisers, including Google, Microsoft, and social platform X, the company said, thanks to the presence of improperly implemented tracking code that Kaiser used to see how its members navigated through its Web and mobile sites.

"Certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors," the company said in a media statement.

The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia.

Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata.

"The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome — an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."

**About the Author(s)**

13.4M Kaiser Insurance Members Affected by Data Leak to Online Advertisers

Likely China-linked adversary has blanketed the Internet with DNS mail requests over the past five years via open resolvers, furthering Great Firewall of China ambitions. But the exact nature of its activity is unclear.

Source: Mrinal Pal via Shutterstock

During an investigation into the activities of a threat group providing domain name system (DNS) infrastructure for illicit online gambling sites, threat researcher Renée Burton discovered something completely novel: Covert traffic immune to China's government-run firewall using open DNS resolvers and mail records to communicate.

The China-linked group — dubbed Muddling Meerkat — has demonstrated its ability to get specific DNS packets through the Great Firewall, one of the technologies separating China's Internet from the rest of the world, Burton, vice president of threat research at network security firm Infoblox, wrote in an analysis published this week.

While most requests for restricted domains return a seemingly random IP address, Muddling Meerkat is able to get DNS mail (MX) records with random-looking prefixes in response to certain requests, even when the domain has no mail service.

The goal of the capability remains unclear — most likely it's for reconnaissance or establishing the foundations of a DNS denial-of-service attack, Burton says — but the demonstrated expertise and ability to pierce the GFW deserves additional research, she says.

"We have a deliberate, very cunning use using very detailed knowledge of DNS — this is not your average cybercriminal; this is not your average teenager; these people are experts in DNS," Burton says. "So we have something that has been going on for four and a half years at this point, which isn't observable in any one location, but is deliberate and constant — and that combination of things, to me, is worrisome."

The threat research comes as the governments of the United States and other nations have warned that China's military has infiltrated critical infrastructure networks with a goal of pre-positioning their cyber operators for potential future conflicts. While many threat researchers have noted China-linked hacking groups' expertise in finding and exploiting zero-days in edge devices such as firewalls and virtual private network (VPN) appliances, the current research underscores their capabilities in utilizing the domain name system (DNS) for their own purposes.

**Great Chinese Firewall: "Operator on the Side"**

The Chinese Communist Party prevents its citizens from going to content that the government considers inappropriate or illegal — not by blocking the traffic, but by returning fake responses to DNS queries that prevent a user in China from connecting to the desired site. The approach, dubbed the Great Firewall (GFW), is not an inline traffic filter nor a platform that alters DNS responses on the fly, but rather an "operator on the side" that issues a response that competes with any packet from the original intended destination, says Burton.

While the Great Firewall does not intercept traffic, China does operate another system — often referred to as the Great Cannon (GC) — that takes the adversary-in-the-middle (AitM) approach, modifying packets en route to their destination, she wrote in the report.

"In combination, the GFW and GC create a lot of noise and misleading data that can hinder investigations into anomalous behavior in DNS," the report said. "Muddling Meerkat operations are complex and demonstrate that the actor has a strong understanding of DNS, as well as internet savvy."

Mail (MX) records from kb.com, even though the domain has no mail service. Source: Infoblox

Typically, researchers can see the Great Firewall in operation. When they send a DNS request to a domain considered to be out of bounds by the Chinese government, the GFW will return a seemingly random IP address. When they ask for a non-existent service for that domain, such as a mail (MX) record, the GFW still sends an IP address. However, Infoblox researchers and their industry partners instead saw mail records for domains that had no mail services, and each MX records had a seemingly random, albeit short, host name.

Kb.com, for example, has no MX records, but the researchers have seen a large number of mail responses, seemingly from the domain for servers with names such as "pq5bo\[.\]kb\[.\]com" and "uff0h\[.\]kb\[.\]com".

**Covert Widespread DNS Traffic**

The unexplained Internet traffic — which was initially detected as far back as Oct. 15, 2019 — could be some sort of reconnaissance that uses open resolvers and "super-aged" domains that foil many DNS block lists, says Burton.

"It's super under the radar, right? So that's kind of a recon-y looking thing," she says. "The other thing about it, though, is it has that DNS denial-of-service aspect. There are concerns that the Chinese are positioning themselves for operations against critical infrastructure, and here they've positioned themselves in DNS in a really weird way."

Combined with the recent announcement by the US Cybersecurity and Infrastructure Security Agency (CISA) that China is pre-positioning itself inside other organizations' infrastructures, Infoblox decide to go public with what the company and its anonymous partners had discovered.

Infoblox collaborated with other organizations, which the company declined to name due to worries of retribution and the potential loss of access to the DNS activity data. While the Muddling Meerkat operation appears similar to some "slow drip" DNS denial-of-service attacks, determining the purpose of the traffic will likely require more research participants, Burton says.

"I don't believe there's anyone who can see this operation in totality," she says. "Every single piece is seen individually, and then what we did was we brought a bunch of different pieces together, so we could see the whole thing. This is a complete mystery ... but it definitely is there."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#auth