Ransomware: contemporary threats, how to prevent them and how the FBI can help
In April 2021, Dutch supermarkets faced a food shortage. The cause wasn't a drought or a sudden surge in the demand for avocados. Rather, the reason was a ransomware attack. In the past years, companies, universities, schools, medical facilities and other organizations have been targeted by ransomware threat actors,

**_Ransomware: contemporary threats, how to prevent them and how the FBI can help_**

In April 2021, Dutch supermarkets faced a food shortage. The cause wasn't a drought or a sudden surge in the demand for avocados. Rather, the reason was a ransomware attack. In the past years, companies, universities, schools, medical facilities and other organizations have been targeted by ransomware threat actors, turning ransomware into the internet's most severe security crisis.

**The Ransomware Landscape**

Ransomware has existed for more than 30 years, but it became a lucrative source of income for cyber actors and gangs in the past decade. Since 2015, ransomware gangs have been targeting organizations instead of individuals. Consequently, ransom sums have increased significantly, reaching millions of dollars.

Ransomware is effective because it pressures victims in two, complementary ways. First, by threatening victims to destroy their data. Second, by threatening to publicize the attack. The second threat has an indirect impact, yet it is just as serious (if not more). Publication could trigger regulatory and compliance issues, as well as negative long-term brand effects.

Here are some examples of real ransomware notes:

Ransomware as a Service (RaaS) has become the most widespread type of ransomware. In RaaS attacks, the ransomware infrastructure is developed by cyber criminals and then licensed out to other attackers for their use. The customer attackers can pay for the use of software or they can split the loot with the creators. Etay maor, Senior Director Security Strategy at **Cato Networks** commented, "There are other forms of RaaS. After receiving the ransomware payment some Ransomware groups sell all the data about the victim's network to other gangs. This means the next attack is much simpler and can be fully automated as it does not require weeks of discovery and network analysis by the attackers."

Some of the major RaaS players, who are notorious for turning the RaaS landscape into what it is today, are CryptoLocker, who infected over a quarter million systems in the 2000s and profited more than $3 million in less than four months, CryptoWall, who made over $18 million and prompted an FBI advisory, and finally Petya, NotPetya and WannaCry who used various types of exploits, ransomware included.

**How the FBI Helps Combat Ransomware**

An organization under attack is bound to experience frustration and confusion. One of the first recommended courses of action is to contact an Incident Response team. The IR team can assist with investigation, recuperation and negotiations. Then, the FBI can also help.

Part of the FBI's mission is to raise awareness about ransomware. Thanks to a wide local and global network, they have access to valuable intelligence. This information can help victims with negotiations and with operationalization. For example, the FBI might be able to provide profiler information about a threat actor based on its Bitcoin wallet.

To help ransomware victims and to prevent ransomware, the FBI has set up 56 Cyber Task Forces across its field offices. These Task Forces work closely with the IRS, the Department of Education, the Office of Inspector General, the Federal Protective Service and the State Police. They're also in close contact with the Secret Service and have access to regional forensics labs. For National Security cyber crimes, the FBI has a designated Squad.

Alongside the Cyber Task Force, the FBI operates a 24/7 CyWatch, which is a Watch Center for coordinating the field offices, the private sector and other federal and intelligence agencies. There is also an Internet Crime Complaint Center, ic3.gov, for registering complaints and identifying trends.

**Preventing Ransomware Attacks On Time**

Many ransomware attacks don't have to reach the point where the FBI is needed. Rather, they can be avoided beforehand. Ransomware is not a single-shot attack. Instead, a series of tactics and techniques all contribute to its execution. By identifying the network and security vulnerabilities in advance that enables the attack, organizations can block or limit threat actors' ability to perform ransomware. Etay Maor added "We need to rethink the concept that "the attackers need to be right just once, the defenders need to be right all the time". A cyber attack is a combination of multiple tactics and techniques. As such, it can only be countered with a holistic approach, with multiple converged security systems that all share context in real time. This is exactly what a **SASE architecture**, and no other, offers the defenders".

For example, here are all the steps in a REvil attack on a well-known manufacturer, mapped out to the MITRE ATT&CK framework. As you can see, there are numerous phases that took place before the actual ransom and were essential to its "success". By mitigating those risks, the attack might have been prevented.

Here is a similar mapping of a Sodinokobi attack:

Maze attack mapping to the MITRE framework:

Another way to map ransomware attacks is through heat maps, which show how often different tactics and techniques are used. Here is a heat map of Maze attacks:

One way to use these mappings is for network analysis and systems testing. By testing a system's resilience to these tactics and techniques and implementing controls that can mitigate any risks, organizations reduce the risk of a ransomware attack by a certain actor on their critical resources.

**How to Avoid Attacks - From the Horse's Mouth**

But don't take our word for it. Some ransomware attackers are "kind" enough to provide organizations with best practices for securing themselves from future ransomware attacks. Recommendations include:

*   Turning off local passwords
*   Using secure passwords
*   Forcing the end of admin sessions
*   Configuring group policies
*   Checking privileged users' access
*   Ensuring only necessary applications are running
*   Limiting the reliance of Anti-Virus
*   Installing EDRs
*   24 hour system admins
*   Securing vulnerable ports
*   Watching for misconfigured firewalls
*   And more

Etay Maor of Cato Networks highlights "Nothing in what several Ransomware groups say organizations need to do is new. These best practices have been discussed for years. The reason they still work is that we try to apply them using disjoint, point solutions. That didn't work and will not work. A SASE, cloud native, architecture, where all security solutions share context and have the capability to see every networks flow and get a holistic view of the attack lifecycle can level the playing field against cyber attacks".

**Ransomware Prevention: An Ongoing Activity**

Just like brushing your teeth or exercising, security hygiene is an ongoing, methodical practice. Ransomware attackers have been known to revisit the crime scene and demand a second ransom, if issues haven't been resolved. By employing security controls that can effectively mitigate security threats and having a proper incident response plan in place, the risks can be minimized, as well as the attackers' pay day. The FBI is here to help and provide information that can assist, let's hope that assistance won't be needed.

To learn more about ransomware attacks and how to prevent them, **Cato Networks' Cyber Security Masterclass series is available for your viewing.**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The FBI's Perspective on Ransomware

**JERUSALEM, ISRAEL (PRWEB)** **JANUARY 03, 2023 --** C2A Security, a leading provider of automated cybersecurity solutions for connected, autonomous, and electric vehicles will showcase its flagship product, EVSec, during the Consumer Electronics Show (CES 2023) taking place in Las Vegas, January 5-8, 2023. EVSec’s innovative automated cybersecurity DevOps platform helps C2A Security customers and partners including Thundersoft, NTT Data, Marelli, MIH, and more, manage software at scale.

As electric and software-defined vehicles become more popular on the roads, governments are instituting regulations, and OEMs, tier-1, and tier-2 suppliers are seeking ways to keep up with this new, ever-evolving industry landscape. C2A Security’s EVSec - Cybersecurity DevOps platform - was built to automate the compliance process for current and emerging cybersecurity standards and regulations. EVSec enables developers to focus on innovation and enhancements, such as new products and features, so automotive companies can stay competitive and provide more business value to the end customer while getting built-in, efficient, and streamlined cybersecurity at scale.

With automotive regulations in Europe and the US promoting the future sales of EVs to rise, cyber threats are inevitable, making C2A’s EVSec solution critical to maintaining the safety of not only the drivers but critical infrastructures as well. Growing its sales funnel by 15 times this past year, and creating strategic partnerships with European, US, and Asian-based OEMs and Tier-One suppliers, C2A Security’s award-winning solution has proven a necessity for the future of the global EV ecosystem.

Partners include:

Thundersoft\- C2A provides the necessary tools for OEMs and suppliers in China to enable the development of intelligent connected and electric vehicles and to effectively identify and respond to cyberattacks and provide full lifecycle security protection for the automotive industry.

"We have deeply felt the growth of the intelligent connected vehicle business and cybersecurity is an indispensable part of the intelligent connected vehicle," says Wenguang Wu, Executive President of ThunderSoft. "The cooperation with C2A Security provides cybersecurity solutions for the whole lifecycle of connected vehicles in China. We look forward to expanding the cooperation globally and bringing the vehicle industry to a safer future."

NTT Data Corporation \- A Japanese multinational player in the field of IT services: C2A Security’s EVSec platform will be sold globally by NTT DATA and is the first platform selected to be incorporated in the new Global Automotive Security Test Center of NTT Data. 

“We want to apply our expertise in cybersecurity to the connected car sector, thanks to our global Automotive Security Test Center and to our collaboration with C2A Security, NTT DATA will be an international reference point to protect connected cars from cyber-attacks and ensure the drivers' safety,” said Marco Garelli, Head of Automotive at NTT DATA Italy.

Marelli - C2A Security’s joint project with Marelli, a leading global Tier-1using EVSEC Attacker, intelligent system level, and security validation tool to shift left the system validation process using the information from the target to support more targeted, faster, and result-oriented testing which leads to smart and efficient validation. 

“Fuzz testing, with C2A’s solution, enables early discovery of vulnerabilities hence reducing the time needed to deliver SW and products,” said Cosimo Senni Guidotti Magnani Senior Manager Connected Vehicle Cyber Security of Marelli

MIH Consortium - C2A Security is the ambassador of the Foxconn-initiated MIH Consortium winning the MIH startup challenges and showing a strong alignment with the MIH open and agnostic EV platform built by MIH, C2A is an official MIH member and contributes to bringing cybersecurity as a full component of MIH projects. 

“C2A Security shares the same vision as MIH, in offering a seamless and holistic approach to automotive cybersecurity over the entire lifecycle,” said Jack Cheng, CEO of MIH Consortium

At CES, C2A’s executive team is scheduling appointments and demonstrations of EVSec at the Westgate Hotel to showcase the solution and the value it provides to its customers.

About C2A Security 

C2A provides automated cybersecurity solutions to enable the connected, autonomous, and electric mobility revolution. C2A Security's flagship product EVSec is a Cybersecurity DevOps platform, helping automotive companies remain competitive and provide more business value in the software-defined vehicle era, supporting the security lifecycle from development to operations and back and automating the process of complying with cybersecurity standards and regulations. Using EVSec, C2A’s customers get efficient and streamlined cybersecurity, managing software at scale while overcoming the shortage of professional cyber experts, reducing costs and time to deployment.

C2A Security To Showcase Automotive Cybersecurity DevOps Platform at CES In Las Vegas, January 5-8

The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and "several times more complex," as the group behind it tests how far the worm can be spread.

Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and it's complexity quotient has been significantly upgraded, researchers said this week.

According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.

Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.

The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently linked it to Evil Corp, for instance, thanks to its significant similarities to the Dridex malware loader.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," the research team wrote.

**Upgraded Malware Version Takes Flight

In the latest iteration, the malware protection mechanism has been upgraded to deploy at least five layers of protection before the malicious code is deployed, including a first-stage packer to obscure the code of the next stages of the attack followed by a shellcode loader.

The next three layers include a second-stage loader DLL, intermediate shellcode, and finally the shellcode downloader. This complex framework makes the worm more difficult to detect and simultaneously eases lateral movement through networks, the researchers explained.

The research also indicated Raspberry Robin operators have began to collect more data about their victims than earlier reported.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," wrote senior threat researcher Felipe Duarte, who led the investigation.

In one case, the research team documented how a 7-Zip file was downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into acting.

"Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim's machine," the report noted.

In a second case, the malicious payload was hosted on a Discord server, which was used by the threat actors to deliver malware onto the victim's machine, to avoid detection and bypass security controls.

"In the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets," the report noted. "This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time."

****Raspberry Robin Makes the Rounds**

The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.

Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.

Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December research report from Trend Micro.

Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker DEV-0856.

Raspberry Robin Worm Hatches a Highly Complex Upgrade

EuskalHack Security Congress sixth edition is a new proposal from the EuskalHack Computer Security Association, with the aim to promote the community growth and the culture in the digital security field. As usual, in this new edition proximity to our public and technical quality will be our hallmarks. This exclusive conference is shaping up as the most relevant in Basque Country, with an estimated 200 attendees for this sixth edition. The participants include specialized companies, public organisms, state security organizations, professionals, hobbyists and students in the area of security and Information Technology. The date for the conference is the 23th and 24th of June 2023 in the lovely city of Donostia San Sebastian.

                                                                                                                                          i@@@@@@@@@@@@t                                                                                                 ;@@@@@@@@88@@@@@@@@t                                                                                            ,@@@@@:          .@@@@@1                                                                                         C@@@@                8@@@8                                                                                       L@@@L                  ;@@@8                                                                                      @@@0                    f@@@,                                                                                    1@@@.                     @@@C                                                                                ::  t@@@                      @@@0   ,                                                                           @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@f                                                                          @@           G@@@@@@@@@@@G          i@L            _____          _         _ _   _            _                  @@       1@@@t;8@C8GG088.f@@@i      ;@f           | ____|   _ ___| | ____ _| | | | | __ _  ___| | __              @@     8@@t8@@@@@@i@L@0@@@@0;@@G    ;@f           |  _|| | | / __| |/ / _` | | |_| |/ _` |/ __| |/ /              @@   f@@ .@@@@f@01C@L1@@C@@@@ .@@:  ;@f           | |__| |_| \__ \   < (_| | |  _  | (_| | (__|   <               @@  8@G  @GL;8@@@@@@@@@@@L:C0@  G@C ;@f           |_____\__,_|___/_|\_\__,_|_|_|_|_|\__,_|\___|_|\_\              @@ 8@L     @@@@@@@@@@@@@@@@f     C@t;@f           / ___|  ___  ___ _   _ _ __(_) |_ _   _                         @@i@@     @@@@@@@;   ,@@@@@@8     @@i@f           \___ \ / _ \/ __| | | | '__| | __| | | |                        @@@@i    @@@@@@@       0@@@@@i    i@@@f            ___) |  __/ (__| |_| | |  | | |_| |_| |                       @@@@@0    @@@@@@8       C@@@@@G   1@@@@@;          |____/ \___|\___|\__,_|_|  |_|\__|\__, |    ___    ___ _        @@@@,    @@@@@@@8     C@@@@@@L    ,@@@f            / ___|___  _ __   __ _ _ __ ___  |___/__   \  \  /  /| |        @@C@C    :@@@@@@@@   @@@@@@@@     C@t@f           | |   / _ \| '_ \ / _` | '__/ _ \/ __/ __|   \  \/  / | |        @@ @@     ;@@@@@@@   @@@@@@@      @@;@f           | |__| (_) | | | | (_| | | |  __/\__ \__ \    \    /  | |        @@ ,@@      8@@@@@@@@@@@@@i      @@ ;@f            \____\___/|_| |_|\__, |_|  \___||___/___/     \__/   |_|        @@  .@@,      .@@@@@@@@@       :@@  ;@f                             |___/                                         @@    0@@  .8@0C@8@@@8@0L@8,  @@C   ;@f                                                                           @@      0@@L  :@@@@@@@@@,  G@@G     ;@f                                                                           @@        .8@@@8C@C@18G@@@@8.       ;@f                                                                          @@@8GGGGGGGGGGGG8@@@@@@@8GGGGGGGGGGGG@@@,                                                                         G@@1:::::::::::::::0@::::::::::::::::@@@                                                                   ] EuskalHack Security Congress VI Call For Papers [Introduction------------EuskalHack Security Congress sixth edition is a new proposal from the EuskalHack Computer Security Association, with the aim to promote the community growth and the culture in the digital security field. As usual, in this new edition proximity to our public and technical quality will be our hallmarks.This exclusive conference is shaping up as the most relevant in Basque Country, with an estimated 200 attendees for this sixth edition.The participants include specialized companies, public organisms, state security organizations, professionals, hobbyists and students in the area of security and Information Technology.Date and location-----------------The date for the conference is the 23th and 24th of June 2023 in the lovely city of Donostia – San Sebastian.Take part as a speaker----------------------We want to open the doors to all those who wish to be part of this fifth edition of the EuskalHack Security Congress in one of the various categories of talks and workshops we offer.We are looking for small workshops or talks related to digital security, information security or tech in general, such as: - Robotics, Drones, Consoles, Hardware Hacking, Gadgets, mobile environments... - Critical infrastructure security, industrial environments, Smart City, financial... - Cloud insecurity, virtualization, containers, Hardening, DevOps, cloud forensics... - GSM signal hacking, SDR, LTE, 4G/5G, Satellite links, VoIP... - Cryptography, steganography, forensics techniques and countermeasures... - AI, Neuronal networks, Data mining, statistical modeling... - Malware, APT, Sandboxing, Sandbox escapes, Bypassing “things”... - Corporate security and intelligence, Social engineering, OPSEC, OSINT... - Web Hacking, SQL and NoSQL injection, LDAP injection, Hacking with search engines... - Hacktivism, net neutrality, Deep web, darknet, cryptocurrencies... - Reverse engineering.All proposals will be valued according to their originality, educational value, contribution to the community, and the capacity to make our audience have a good time.Highest priority will be given to those proposals that have not been previously exhibited at another event. Please don't forget to indicate it when making your submission.Language and internationalization---------------------------------At EuskalHack we value linguistic diversity and internationalization; this is why we accept talks in Spanish, Basque or English. Just let us know what language you plan to use for your slides and for the talk. Note: We positively value bilingual options which can be understood by the maximum number of attendees as possible as, for example, slides in one language while speaking in another one.Talks and Workshops-------------------We will have several spaces over the course of the event, which will include talks and workshops concurrently, taking two different approaches: * Standard talks: 50 minutes duration * Specific workshops: 120 minutes duration    Once all the proposals have been received, the total number of presentations of each type will be determined, considering aspects such as technological diversity and the audience.Workshops will be taught on June 24 with a capacity of 40 attendees. In addition, please confirm the necessary infrastructure and material required in the sent proposal.Proposals---------Proposal submissions should be sent before April 23th through the forms found on the following links:ENGLISH    https://forms.gle/xr3wEfiJYuFkwVYr5SPANISH    https://forms.gle/iPH3LRoSfzyjY3Em6  EUSKERA     https://forms.gle/CGRhHeVbCysQ5A7G8Dates to consider-----------------The following are the dates and milestones which should be considered during various phases by the speakers directly involved:26/12/22    Speaker registration begins23/04/23    Speaker registration ends30/04/23    Speaker confirmation date deadline by the organization 15/05/23    Speaker requirements submission31/05/23    Follow-up communication22/06/23    Speakers reception23/06/23    EuskalHack Security CongressCommitment in meeting the dates set by those interested for the paper planning and effective implementation of the congress is requested.Speaker rights and privileges----------------------------- * Take part in the reference security congress in Basque Country. * Round trip paid by the organization (conditions to be agreed *). * Accommodation paid in a hotel near to the congress, in the beautiful city of Donostia - San Sebastian (Double room). * Complete access to the conference with a companion. * Dinners with the other speakers and conference organizers.Disclaimer---------- * The talks and workshops not exhibited previously at other security congresses or media will be considered a priority. * Compliance with obligations and regulations by all concerned parties is vital to avoid any setbacks for the speaker and the congress. * The duration of the talks must stick to the terms of the agreement, allowing the audience to have time for the round of questions. * The talks and workshops must stick to the computer security ethical code, common sense and the applicable laws. * It is essential that you indicate the needs regarding travel and accommodation in order to manage your stay with us in the best possible way.  The organization reserves the right not to take charge of this aspect if it is not expressly indicated.Sponsors--------------Being part of EuskalHack as a sponsoring company implies having presence and impact in a unique and singular area, allowing directing a message to a target audience, and facilitating and strengthening your brand and products’ knowledge in a major community event.We have a maximum number of allowed sponsors, as we consider it essential to establish a balance between the visitors and the companies involved. If you would like to be a part of the conference, please contact us as soon as possible at the following address: info@euskalhack.orgContact-------Web:        http://www.euskalhack.org/Mail:       info@euskalhack.orgTwitter:    @EuskalHack

EuskalHack Security Congress VI Call For Papers

Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users About Modification menu and the Notifications feature. A user can send malicious notifications and execute JavaScript code in the browser of every user who has enabled notifications. This is a stored XSS, and can lead to privilege escalation in the context of the application. (Another issue is present in the Favorites tab. The name of a favorite or a folder of favorites is interpreted as HTML, and can thus embed JavaScript code, which is executed when displayed. This is a self-XSS.)

��ܥ�!U�sЕ������'��.�yZB<�|�iHF�ҁ!%�m���m/7}�3i��<�vD�|;�눩|�u\`H U)�����3��������9�;��p)P����!� 6��Un��?��PHˋ�i\[e ���a�v� �e?�5�<�F>b�\],a��w�KÓ8�K�\` �1�:�F�ţl�"�5�9�F~R�Y�p0O���|2 �IAa���s0|��b�p!����b�c#?&�ϓ88흷 i��������e�o�E,�����L�1�͋�P���$f�s8���b�/�N�B�\]qp���s0����"-ҡ9���A�/c�\[o���%�����dR�HD�\_��\[��ՒW���K%�l�(��eڈ��M�0N{�?�D�a��8���W����K%�l�(�Xeڈ �PdJ,O�Ȓ��~�%�z��tRUȎ�b�O��@:�Cq�)q��.�8��-�b�u1�$ن7t�� Y�ȨM���7p��a��"�6j��k\]1I����8H��Z� "�e��%�+-y�F��v{��Q^E��L qȷ���'�%�r}�{-V��(iQE�� �Ƿaψ�8H�8HKw�t���z,&�Ea��ڰ���0�jL�.,q��Wư���K:d�'=�J�o�����������2��K�e���<��m\_�y8�%�!�f�y�1>-u��2�����!T�e�$�qTQ���o������j���Ϟc�$z��w/ q���yc�z�e,u�/I�6\_�F@bi��Ak�\`I��n�,�F'o��"�?�A�V~�K�$/�9s��;�n��uce���.���pp�Z$���Kp�߮UƎ����Fuq0Y{�P(�R�,Mؐa� \_��c��\`K\\o�����d��>�MV�i�=\\dG

CVE-2022-34322

The effectiveness of attacks largely depends on organizations' distributed denial-of-service defenses.

As Russian ground troops prepared to enter Ukraine in February 2021, Ukrainian governmental departments, online media organizations, financial firms, and hosting providers were slammed with a surge of distributed denial-of-service (DDoS) attacks. These attacks only increased in frequency and impact as Russian tanks rolled across the border, adding to the frenzy and chaos of that time.

Quick to hit back, Ukraine's IT Army sprang to life during the early days of the conflict. Much like Ukraine's volunteer army on the ground, recruits flooded in from all over the world to take part in the brewing war being waged online between Russia and Ukraine, with observed DDoS attacks focused on Russian targets increasing by 236% between February and March.

What seems clear is that whether issued by hacktivists or nation-states, DDoS attacks are often the opening salvo between opposing forces in today’s geopolitical conflicts. Compared with other types of cyberthreats, DDoS attacks can be launched relatively quickly. In addition, while DDoS attacks can cause significant disruption on their own, they can also mask or distract attention from more significant threats.

And, as seen in Ukraine and elsewhere, the use of DDoS attacks on the digital battlefield seems to be increasing. This article will examine the history of DDoS attacks for geopolitical conflict compared with recent attacks, providing insights that organizations can use to protect themselves from collateral damage.In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

**2022: A Record-Setting Year for DDoS**

The use of DDoS attacks to gain geopolitical advantage is nothing new, but the frequency at which these types of attacks are growing is noteworthy. In the latest "DDoS Threat Intelligence Report," Netscout reported more than 6 million attacks in the first half of 2022. Of these attacks, a majority corresponded with national or regional conflicts.

To continue with the Ukraine example, the frequency of DDoS attacks directed at Ukraine leveled off by April 2022, while cyberattacks ratcheted up against perceived allies of Ukraine. This likely is attributable to Ukrainian Internet properties migrating to countries like Ireland, as instability in the intra-Ukraine Internet forced many network segments to rely upon connectivity in other countries.

Echoes of this conflict continue to resonate across the global Internet. In March 2022, India experienced a measurable increase of DDoS attacks following its abstentions from United Nations Security Council and General Assembly votes condemning Russian actions in Ukraine. Similarly, during the first half of the year, Belize endured its single highest number of DDoS attacks on the same day that it made public statements in support of Ukraine.

Elsewhere, the nation of Finland — a close neighbor of Russia — experienced a 258% percent year-over-year increase in DDoS attacks coinciding with its announcement to apply for membership in NATO. Poland, Romania, Lithuania, and Norway, meanwhile, all were targeted with DDoS attacks by adversaries linked to Killnet, a group of online attackers aligned with Russia.

But these examples rooted in the conflict between Russia and Ukraine are not the only online battlegrounds where fights over geopolitics are being waged. As tensions between Taiwan and China and Hong Kong and China escalated during the first half of the year, DDoS attack campaigns often coincided with public events. For example, in the run-up to Nancy Pelosi's historic visit to Taiwan this summer, the website of Taiwan's presidential office and other government websites went dark due to DDoS attacks. And in Latin America, during a contentious election in Colombia this past year, waves of successive DDoS attacks were launched during the initial vote and the contested runoff.

One common thread is that many of these attacks use known attack vectors and readily available DDoS-for-hire services, also known as booter/stressor services, found on the Dark Web. These illicit services typically offer a restricted tier of free demonstration DDoS attacks to prospective customers, lowering the bar for would-be attackers to rapidly spin up attacks at very little to no cost. However, because these attack vectors are well-known, they can be easily mitigated in most circumstances.

**Don't Become Collateral Damage**

DDoS attacks have the potential to seriously disrupt Internet operations for their intended targets, but they can also cause a significant collateral impact footprint for bystander organizations and Internet traffic. This risk is particularly high as data hosting and services flow from war-torn regions like Ukraine to locations abroad.

In many of the examples listed above, the effectiveness of attacks largely depended upon whether targeted organizations had organized DDoS defenses. In Ukraine and other countries, disruption was quickly remedied for unprotected organizations as global DDoS defense companies stepped in to help Ukrainian organizations that needed it. However, ongoing defenses are still needed for most organizations.

Amid this environment, the most prudent course of action to prevent collateral damage is to regularly assess DDoS risk factors, especially related to direct service delivery elements, supply chain partners, and other dependencies. Organizations should ensure that critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected. They also should check to make sure DDoS defense plans reflect ideal current configurations and operational conditions, and that the plans are periodically tested to verify that they can be successfully implemented as required.

In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

War and Geopolitical Conflict: The New Battleground for DDoS Attacks

Dark Reading's panel of security experts deliver a magnum of bubbly hot takes on what 2023 will look like, featuring evil AIs, WWIII, wild workplace soon-to-be-norms, and more.

The end of the year is upon us, and that means predictions — lots and lots of predictions. And no wonder: With 2022 in the books, cybersecurity professionals worth their salt are starting to think about what's around the next bend; one needs to be prepared, after all.

This year, we wanted to break out of the mold of covering predictable predictions ("more automation is on the horizon," anyone?) to focus on some of the more out-there views on what the cybersecurity landscape might hold for the next revolution around the sun. In this, our stable of experts didn't disappoint.

Security experts from near and far gave Dark Reading their most outrageous/boldest security predictions for 2023. Whether that's something that will happen on the threat side of things (hackers will start WWIII), an impending crazy cyberattack (looking at you, evil Santa elves), a prediction for insane futuristic tech on the defensive side (bot vs. bot), nutty enterprise trends (spyware for employees), what have you — these crystal ball-isms will hopefully make you think about what is in store.

For instance, David Maynor, director of the Cybrary Threat Intelligence Team (CTIG), offered up a slew of hot takes for 2023 that run to the dystopian. And we're here for it:

"Information security practitioners will continue to be divided into topics, such as active defense, to the point that pseudo-religious cults may form," he opines. "DEF CON will be canceled. A reboot or sequel of one of the following movies will be greenlit: Hackers, Sneakers, WarGames, The Net, Swordfish."

Nicely done, David. And that's just the beginning.

**Cookies to the Rescue: A Seasonally Appropriate Hacking Collective**

To kick things off, Dean Agron, CEO and co-founder of Oxeye Security, flagged an impending cyberattack that's sure to hit everyone on Santa's list, not just the naughty ones.

>   
> "The 'Santa's Gift' attack, from a Greenland-based hacking group called '\[email protected\]'s 3lves' will allow attackers to bypass input sanitation mechanisms by using a specific combination of 🎅🏼 🦌 🧝 🎄 🎁 🛷 emojis (Santa, reindeer, elf, Christmas tree, gift, and sleigh). Every input that allows inputting emojis is vulnerable, and the right permutation of emojis will immediately enable root access to your cloud infrastructure. Privacy and security advocates who have been fighting to eliminate cookies are rethinking their posture, as an overflowing stack of cookies (and a glass of milk) is the only known measure to combat this attack." — Dean Agron, CEO and co-founder of Oxeye Security

Yes, he was just kidding. But it made you wonder for a minute, didn't it? Onto the real predictions!

**Automation Is Finally Ready for Prime Time**

Sure, predicting the use of more security automation is like saying there might be more political division in Congress in the new year. But at least one of the experts we tapped took it an extra step further.

>   
> "The drive to use automation to replace human workers will evolve into automating away the need for useless middle management where both workers and executives rejoice." — John Bambenek, principal threat hunter at Netenrich

Ouch.

**Scary AI & Machine Learning Gets ... Scarier**

The idea of weaponized deep fakes becoming a go-to method for attackers was a theme for many of the bold predictions that Dark Reading received.

>   
> "We haven't really seen it at scale yet, but with the trouble we already have getting our users to follow policy and not fall for social engineering attacks, how much worse will it be if (when) we have to deal with videos of their boss telling them that it's totally cool to give that random caller your password?" — Mike Parkin, senior technical engineer at Vulcan Cyber

Others also warmed to this theme.

>   
> "In 2023, fraudsters will devise new ways to hack into accounts, including new ways to spoof biometrics, new ways to create fraudulent identity documents, and new ways to create synthetic identities." — Ricardo Amper, founder and CEO at Incode

Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, points out that scary-level AI can juice the D, too.

>   
> "2023 will be the first year of bot vs. bot. The good guy's threat hunting and vulnerability-closing bots will be fighting against the bad guy's vulnerability-finding and attacking bots, and the bots with the best AI algorithms will win. 2023 is the year where AI becomes good enough that the humans turn over defense and attacks to self-traveling and replicating code for the entire attack chain from initial root exploit to extraction of value." — Roger Grimes, data-driven defense evangelist at KnowBe4

**Chatbot AIs: A Particularly Nasty Strain**

Sometimes the dark view of AI use has to do with unintended consequences, with Maynor linking back to his WarGames reboot note.

>   
> "A person with no programming or security knowledge may accidentally create a destructive, self-propagating worm using an AI chatbot and then accidentally release it on the Internet, causing almost a trillion dollars in damage worldwide." — Cybrary's Maynor

Hmmmm, what AI chatbot could he possibly be referring to? At least one person we talked to has no qualms naming names, with a dark prediction about AI-assisted phishing.

>   
> "Hackers will use ChatGPT to develop multilingual communications with unsuspecting users in business supply chains. Many of the most notorious cybercriminal gangs and state-sponsored cybercriminals operate in countries like Russia, North Korea, and other foreign countries \[which makes them\] somewhat easier for end users to detect. This technology can develop written communications in any language, with perfect fluency. It will be very difficult for users to recognize that they are potentially communicating via email with an individual who barely speaks or writes in their language. The damage this technology will cause is almost a certainty." — Adrien Gendre, chief tech & product officer and co-founder at Vade

Of course, these are early days for ChatGPT and its ilk. Imagine the risk once development really gets going.

>   
> "It's only now that the AI algorithms have evolved where good bot vs. bad bot becomes a realistic threat. ChatGPT showed us what was possible ... and it's not even the latest AI version. I'm not scared of ChatGPT. I'm scared of its children and grandchildren." — KnowBe4's Grimes

**Apocalypse Now? Critical Infrastructure Is Set to Burn...**

Evil AIs are forever tied in most of our minds with taking over the world and bringing about apocalypse (save John Connor!). But some experts tell Dark Reading that the apocalypse doesn't need to wait for the sentient robots.

>   
> "In 2023 we'll see a disruption to network supply chain unlike anything we've ever seen before: A new tactic that will be added to the warfare arsenal is the sabotage of fiber cable. It has long been a war tactic to target communication lines, but the attacks will be farther reaching and wipe out Internet access for entire continents." — Daniel Spicer, chief security officer at Ivanti

Sure, the Internet disappearing overnight could cause major dysfunction, but what about a long-term lack of power?

>   
> "The skills gap, recession and tensions abroad are forming a perfect storm for a major attack on the power grid in 2023. At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years. The combination of aforementioned factors makes the US's power grid more vulnerable to cyberattacks than it has been in a long time." — Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence

Ian Pratt, global head of security for personal systems at HP Inc., even offers Dark Reading a potential attack vector for such a scenario.

>   
> "Session hijacking — where an attacker will commandeer a remote access session to access sensitive data and systems — will grow in popularity in 2023. If such an attack connects to operational technology (OT) and industrial control systems (ICS) running factories and industrial plants, there could also be a physical impact on operational availability and safety — potentially cutting off access to energy or water for entire areas." — HP's Pratt

**... Or Maybe Not**

There's a contrarian in every bunch. Ron Fabela, CTO and co-founder at SynSaber, laid one such prediction on Dark Reading: that 2023 will be remembered for the ICS cyberwar that wasn't.

>   
> "While everyone in industrial cybersecurity will continue to fear all-out cyberwar, with predictions of turning off the power grid and poisoning our water shouted from rooftops and Capitol Hill, one thing is for certain: It's a paper dragon, all hot air and no teeth. The security operator in the SOC and the industrial operator in the control center deserve our attention rather than Russian APTs." — SynSaber's Fabela

**WWIII Started by Hackers?**

So if fears that the Bad Guys will take out our critical infrastructure are overblown, does anything have the power to light off a firestorm of kinetic war?

Why, messing with our finances, of course.

>   
> "An attack against the Securities & Exchange Commission (or IRS, or some similar fundamental agency to the US government) would likely be as clear a flash point for war as the assassination of Archduke Franz Ferdinand. So, if it were to happen, it would be a very carefully calculated and planned, state-sponsored attack." — Simon Eyre, CISO and managing director at Drawbridge

**Cybersecurity Consolidation? Less Vendor Choice? Nope & Nope**

Speaking of finances, anyone who has been following the volatile vagaries of the cybersecurity market from an M&A, valuation, and funding perspective will be aware that most analysts believe that enterprises will rapidly consolidate their cyber-defense tools under just a handful of vendor names — meaning that security Big Kahunas will just keep snapping up small fry and rivals until the choices end up very limited indeed.

Enterprises seem to want that too, according to survey after survey, given the upside in terms of interoperability and management.

Richard Stiennon, chief research analyst at IT-Harvest, says bah humbug to all that.

>   
> "I have been hearing this since there were less than 100 vendors. Now, I count more than 3,200 cybersecurity vendors covering 17 major categories and 660 subcategories. There are always going to be new threats, and new threat actors creating demand for new products that will come from startups. Yes, there will be lots of M&A action in 2023, probably close to 400 transactions. Every acquisition whets the appetite of investors to get in on the action. It also creates founders who are now wealthy who start their next company as soon as they earn out." — IT-Harvest's Stiennon

**Big Brother IS Watching You**

We would be remiss if we wrapped up without mentioning the myriad predictions that Dark Reading received regarding the future of remote and hybrid working. It isn't going anywhere — that genie is well and truly out of the bottle, we all agree. But there's a rather horrific side effect of that reality: The use of creepy productivity monitoring tools by employers, which for all intents and purposes, is spyware by another name, says one expert.

>   
> "Many leaders are resistant to remote work because they are used to leading based on observations, i.e. who is sitting at their desk the longest? In today’s ‘anywhere work’ environment, ‘observation leadership’ is causing managers to implement spy-like tools that measure activity and working hours which invade privacy and create a feeling of distrust among employees." — Dean Hager, CEO of Jamf

Silver lining alert: Hager adds that this kind of completely whacked-out employee tracking will backfire, leading to an outcome-based leadership that will have a positive effect on employee morale and company culture.

Beyond the Obvious: The Boldest Cybersecurity Predictions for 2023

New web targets for the discerning hacker

New web targets for the discerning hacker

  

As 2022 draws to a close, HackerOne has revealed that cloud-based vulnerabilities became increasingly common this year as organizations embark on digital transformation.

The bug bounty platform reported that researchers uncovered more than 65,000 software vulnerabilities through its service during the year, up 21% on 2021.

Misconfiguration vulnerabilities also rose 150% and improper authorization issues by 45% – largely because organizations are instituting ever-more granular permissions as they migrate to the cloud.

Intel recently paid out a $10,000 bug bounty to Julien Ahrens of RCE Security – despite disputing the seriousness of the flaw.

Ahrens bypassed Intel Data Center Manager (DCM) authentication by spoofing Kerberos and LDAP (Lightweight Directory Access Protocol) responses, claiming this led to remote code execution (RCE).

Intel acknowledged the vulnerability and gave it a severity score of 8.8, but says the issue amounted only to a privilege elevation flaw. It was persuaded to make the payout anyway as a one-off.

Meanwhile, a security researcher known by the moniker Peter M demonstrated this month how he bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).

He says it took 500 crafted attempts and over 14 hours to find an entry point as part of a private Bugcrowd program.

The attack, carried out with the assistance of Synack pentester Usman Mansha, used Spring Expression Language (SpEL) injection.

Read more of the latest bug bounty news

In other bug bounty news, Intigriti says it has paid out nearly three times as much this year compared to last, with the average amount having doubled.

It says ethical hackers increasingly see bug bounty hunting as a full-time career, with 96% saying they’d like to spend more time on it. The biggest draw is the money, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart cybercriminals.

And Meta’s review of its own bug bounty program this year has revealed that it paid out more than $2 million, receiving around 10,000 reports in total, of which it paid out on 750.

Meta also released updated payout guidelines for mobile RCE bugs, and there are new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities, too. These go up to $130,000 for ATO reports and $300,000 for mobile RCE bugs.

Finally, bug bounty and security services platform for web3 Immunefi says it has paid out just under $66 million this year, with the biggest bounty amounting to $10 million for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol.

Critical vulnerabilities took the lead with a total of $61 million paid out, accounting for 92.7% of all bounties paid.

**The latest bug bounty programs for January 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Axis Communications**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
TBC

Outline:  
Video surveillance vendor Axis Communications has launched a bug bounty program to find vulnerabilities in its network security products, excluding its 2N products.

Notes:  
Axis Communications has yet to release details of payment rewards for finding such bugs, but has released details of how these bugs are scored using the CVSS method.

Check out the Axis Communications bug bounty page for more details

**Contentsquare**

Program provider:   
YesWeHack  

Program type: Public

Max reward: €2,500 ($2,670)

Outline: UX analytics provider Contentsquare has launched a bug bounty program focussed on finding issues with its mobile software development kit and collection endpoints, details of which are listed on its bug bounty page.

Notes: Contentsquare asks ethical hackers to consult the list of in-scope topics beforehand, as the targets are specific.

Check out the Contentsquare bug bounty page for more details

**Doppler**

Program provider:  
HackerOne

Program type: Public

Max reward: $2,500

Outline: Doppler bills itself as a “SecretOps platform developers and security teams trust to provide secrets management at enterprise scale”.

Notes: Again, there are multiple domains to explore plus Doppler’s source code. There are also five domains that are out of scope for testing.

Check out the Doppler bug bounty page for more details

**Engel & Völkers Technology GmbH**

Program provider:  
HackerOne

Program type: Public

Max reward: $1,000

Outline: IT consulting firm Engel & Völkers Technology GmbH has opened its domains to testing by bug bounty hunters.

Notes: There are more than 10 domains available to attack, ranging from critical to medium severity. There are also a handful of domains that are out of scope and shouldn’t be tested.

Check out the Engel & Völkers Technology GmbH bug bounty page for more details

**Harman International**

Program provider:  
YesWeHack

Program type: Public

Max reward: $5,000

Outline: Electronics manufacturer Harman, a Samsung company, is asking for help with “hardening of the entire ecosystem” related to JBL devices.

Notes: There are 16 targets in scope including physical devices, web APIS, and applications, so there’s something for everyone to get stuck into.

Check out the Harman International bug bounty page for more details

**Moonpay**

Program provider:  
HackerOne

Program type: Public

Max reward: $20,000

Outline: Crypto exchange platform Moonpay is offering big rewards for security vulnerabilities in multiple domains and its source code.

Notes: There are four domains out of scope, so these should be checked before proceeding. Moonpay also details an extensive list of vulnerabilities that aren’t eligible for reward, so this should be checked, too.

Check out the Moonpay bug bounty page for more details

**Navitas**

Program provider:  
Bugcrowd

Program type:  
Private

Max reward:  
$2,500

Outline:  
Australian education provider Navitas is offering rewards for reproducible bugs in its services, with rewards based on the severity of the issue.

Notes:  
Although the company is based in Australia, the rewards are open to ethical hackers worldwide, on an invite basis.

Check out a press release regarding the Navitas bug bounty program for more details

**OVO**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
$3,000

Outline:  
Indonesian payment, rewards and financial services platform is asking hackers to find bugs in four of its mobile and web apps, providing plenty of opportunity to seek a reward.

Notes:  
OVO has explicitly noted that staging environments are out of scope, as are any other targets that aren’t specifically listed on its bug bounty page.

Check out the OVO bug bounty page for more details

**Swapcard**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
€2,000 ($2,140)

Outline:  
Swapcard describes itself as an event app and matchmaking platform powered by artificial intelligence, which holds events in the sectors of security, government, and health.

Notes:  
There is an extensive list of applications and APIs that can be targeted, so this is worth checking out before making a start. Also note that Swapcard states that reports with a detailed proof of concept will be rewarded at a quicker rate, if eligible, than those without.

Check out the Swapcard bug bounty page for more details

**VFS**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
$1,500

Outline:  
VFS manages the administrative and non-judgmental tasks related to visa, passport and consular services for its client governments.

Notes:  
The maximum reward is for vulnerabilities deemed as ‘critical’. Examples include, but aren’t limited to, the leaking of visa applicant personally identifiable information, Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information, and scripts that can automate the completion of the user registration flow.

Check out the VFS bug bounty page for more details

**Yuga Labs**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$25,000

Outline:  
Yuga Labs is offering an impressive $25,000 for the discovery of critical vulnerabilities in its web3 platform.

Notes:  
The company is asking for reports on bugs in not only its domains but its Discord servers too. Anyone wanting to attack the Discord servers should check out the separate policy on Yuga Labs’ bug bounty page first.

Check out the Yuga Labs bug bounty page for more details

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for December 2022

Bug Bounty Radar // The latest bug bounty programs for January 2023

Any multifactor authentication adds protection, but a physical token is the best bet when it really counts.

In August,  the internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching numerous tech companies. While some Cloudflare employees were tricked by the phishing messages, the attackers couldn't burrow deeper into the company's systems. That's because, as part of Cloudflare's security controls, every employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a collaboration with the hardware authentication token-maker Yubikey to offer discounted keys to Cloudflare customers. 

Cloudflare wasn't the only company high on the security protection of hardware tokens, though. Earlier this month, Apple announced hardware key support for Apple IDs, seven years after first rolling out two-factor authentication on user accounts. And two weeks ago, the Vivaldi browser announced hardware key support for Android.

The protection isn't new, and many major platforms and companies have for years supported hardware key adoption and required that employees use them as Cloudflare did. But this latest surge in interest and implementation comes in response to an array of escalating digital threats.

“Physical authentication keys are some of the most effective methods today for protecting against account takeovers and phishing,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “If you think about it as a hierarchy, physical tokens are more effective than authentication apps, which are better than SMS verification, which is more effective than email verification.” 

Hardware authentication is very secure, because you need to physically possess the key and produce it. This means that a phisher online can't simply trick someone into handing over their password, or even a password plus a second-factor code, to break into a digital account. You already know this intuitively, because this is the whole premise of door keys. Someone would need your key to unlock your front door—and if you lose your key, it's usually not the end of the world, because someone who finds it won't know which door it unlocks. For digital accounts, there are different types of hardware keys that are built on standards from a tech industry association known as the FIDO Alliance, including smart cards that have a little circuit chip on them, tap cards or fobs that use near-field communication, or things like Yubikeys that plug into a port on your device.

You likely have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens it would be difficult to manage physical keys for all of them. But for your most valuable accounts and those that are a fallback for other logins—namely, your email—the security and phishing resistance of hardware keys can mean significant peace of mind.

Meanwhile, after years of work, the tech industry finally took major steps in 2022 toward a long-promised passwordless future. The move is riding on the back of a technology called “passkeys” that are also built on FIDO standards. Operating systems from Apple, Google, and Microsoft now support the technology, and many other platforms, browsers, and services have adopted it or are in the process of doing so. The goal is to make it easier for users to manage their digital account authentication so they don't use insecure workarounds like weak passwords. As much as you might wish it, though, passwords aren't going to disappear anytime soon, thanks to their sheer ubiquity. And amid all the buzz about passkeys, hardware tokens are still an important protection option.

“FIDO has been positioning passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a fair characterization,” says Jim Fenton, an independent identity privacy and security consultant. “While passkeys will probably be the right answer for many consumer applications, I think hardware-based authenticators will continue to have a role for higher-security applications, like for staff at financial institutions. And more security-focused consumers should also have the option to use hardware-based authenticators, particularly if their data has previously been breached, if they have a high net worth, or if they are just concerned about security.”

While it may feel daunting at first to add one more best practice to your digital security to-do list, hardware tokens are actually easy to set up. And you'll get plenty of mileage from just using them on a couple of, ahem, _key_ accounts.

The Password Isn’t Dead Yet. You Need a Hardware Key

The toasts, triumphs, and biggest security wins of the year

The toasts, triumphs, and biggest security wins of the year

  

As 2022 draws to a close, The Daily Swig is revisiting some of the year’s most notable web security wins and egregious infosec fails.

Yesterday we showcased the year’s biggest fails – the security disasters, industry calamities, and the emergence of vulnerabilities so stupid they’ll make your eyes roll.

Today, we’re celebrating the times that organizations, governments, and the infosec community have shown laudable skill, judgement, and commitment to better securing the cyber sphere in 2022.

**CCFA changes**

This year saw major progress made in protecting ethical hacking from unfair legal consequences. Current laws worldwide often enable prosecution of security researchers motivated to protect rather than harm users, creating risks for ethical hackers in the course of doing their job.

In the US, the Department of Justice (DoJ) announced it will no longer prosecute security researchers who act in “good faith” under a landmark revision to its policy regarding computer crime laws.

The amendment, announced back in May, laid out changes to prosecution criteria under the Computer Fraud and Abuse Act (CFAA).

Good faith in this case refers to an individual accessing a computer solely for purposes of good-faith testing, investigation, or correction of a security flaw or vulnerability.

RELATED Stupid security 2022 – this year’s infosec fails

**Decriminalizing UK ethical hackers**

Across the pond, UK legislators proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill back in June that would give cybersecurity professionals a legal defence for their activities under the Computer Misuse Act (CMA).

Critics argue that the law, which came into effect in 1990, is outdated and unduly prosecutes security researchers, ethical hackers, and pen testers who responsibly hunt for or report vulnerabilities.

Campaigners continue to call for legal clarification of legitimate hacking activities, which they argue include responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.

The UK government continues to hold talks on the proposed law changes. A call for information was closed in September.

**Making disclosure smoother**

Progress was also made in helping security researchers to make the vulnerability disclosure process smoother.

HackerOne encouraged customers to adopt its new standard policy, released in November, that goes further to protect hackers from legal problems.

The Gold Standard Safe Harbour agreement “is a short, broad, easily-understood safe harbor statement that’s simple for customers to adopt”, said HackerOne.

“This standardization also reduces the burden on hackers for parsing numerous different program statements.”

Catch up on the latest bug bounty news

Meanwhile, the maintainers of open source repositories can now receive private vulnerability reports, remediate them, and issue CVEs via GitHub, the Microsoft-owned software development platform announced at the GitHub Universe conference in November.

The news went down well with at least one infosec pro, with vulnerability researcher and The Daily Swig interviewee Alex Chapman calling it an “amazing feature”.

**In defence of Ukraine**

The Russian invasion of Ukraine dominated headlines this year, and as individuals across the world stepped up to help, so did the hacking community.

In March, Hackers Without Borders (HWB) a Geneva-based non-governmental organization (NGO), was launched to offer emergency infosec assistance to other NGOs and providers of critical services affected by conflicts around the world.

Staffed by volunteer hackers and infosec experts, the organization helps individuals or organizations handle the fallout of cyber-attacks, protect them from further assaults, and bolster their cyber-resilience – free of charge.

In an interview with The Daily Swig, co-founder Florent Curtet said: “We are here to be like firefighters for people, companies, institutions that don’t have the money, skills, or information to protect themselves from today’s digital threats.”

Also speaking in defence of Ukraine, WithSecure’s Mikko Hyppönen told the cybersecurity company’s first ever conference attendees this year that “Russia is trying, but it is largely failing”, in its efforts to ignite cyberwarfare.

Speaking at Sphere 2022 in neighbouring Finland, Hyppönen said: “Taking a stand here is really simple, it’s really obvious. I think we all choose to stand with Ukraine. We choose to stand with democracy, and we choose to stand against evil.”

**Back to Hacker Summer Camp**

This year saw the return of in-person conferences, in particular Black Hat, which was held online in previous years due to the coronavirus pandemic.

In May, Black Hat Asia attendees in Singapore heard keynote speaker Samir Aran warn that “if democracy is to survive, technology will have to be tamed”.

At Black Hat USA, held in Las Vegas in August, former CISA director Chris Krebs also spoke out about geopolitical tensions, urging organizations worldwide to bolster their online infrastructure amid Taiwan tensions.

And at Black Hat Europe, held in London in November, renowned security researcher Daniel Cuthbert told attendees that a defendable internet is possible – “but only with industry makeover”.

The conferences also saw the release of various hacking tools built by the community for the community.

**Securing the open source ecosystem**

Finally, efforts to secure the open source supply chain were ramped up for 2022, with a number of new initiatives launched.

The Secure Open Source Rewards (SOS.dev) scheme was set up to reward developers and security researchers who make improvements to critical infrastructure based on open source technology.

The program will “harden critical open source projects” and help protect against application and software supply chain attacks by encouraging researchers and developers to suggest security improvements.

Rewards range from $505 for small improvements up to $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities”.

The Open Source Security Foundation (OpenSSF) also launched a project to improve the security of the open source software ecosystem, backed by a $5 million investment from Microsoft and Google.

And a summit held at the White House resulted in a plan to better secure the government’s software supply chain, in the wake of the Log4j incident back in 2021.

DON’T MISS Lean, green coding machine: How sustainable computing drive can reduce attack surfaces

Tag

#intel