Tripwire for real war? Cyber's fuzzy rules of engagement
FROM THE MEDIA: President Joe Biden couldn’t have been more blunt about the risks of cyberattacks spinning out of control. “If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence,” he told his intelligence brain trust in July. Now tensions are soaring over Ukraine with Western officials warning about the danger of Russia launching damaging cyberattacks against Ukraine's NATO allies. While no one is suggesting that could lead to a full-blown war between nuclear-armed rivals, the risk of escalation is serious. The danger is in the uncertainty about what crosses a digital red line. Cyberattacks, including those that cripple critical infrastructure with ransomware, have been on the rise for years and often go unpunished. It’s unclear how grave a malicious cyber operation by a state actor would have to be to cross the threshold to an act of war. “The rules are fuzzy,” said Max Smeets, director of the European Cyber Conflict Research Initiative. “It’s not clear what is allowed, what isn’t allowed.”
READ THE STORY: STL Today
A QUICK LOOK:
Why cyber threats are a C-suite issue
FROM THE MEDIA: If it was inconceivable two years ago that working from home would be the norm for a large part of the workforce, today it seems equally hard to countenance a full return to the office. While Omicron may fade into the alphabet soup of Covid, hybrid working is here to stay. For business schools educating the next generation of executives, the new flexible world requires teaching of some topics that were not obviously necessary in 2019, such as working out how to ensure remote colleagues are not at a disadvantage to those in the office. Other lessons were relevant in the “before times” but have been amplified by the pandemic. Most notable among these is cyber security, and that it is not only a task for IT departments but must be understood as a problem for every employee, from the chief executive down. Fraud and scams are one of the greatest threats to companies. Ransomware may make the headlines but the most common criminal tool remains social engineering, or confidence tricks designed to persuade people to hand over passwords or other sensitive information. These might be a phishing email supposedly from an IT technician, or a romance scammer requesting money for a plane ticket.
READ THE STORY: FT
A QUICK LOOK:
India, Australia all set to open window to counter Chinese attempt to 'misuse' cyberspace
FROM THE MEDIA: In a veiled reference to China and North Korea's alleged attempts to misuse cyberspace including hacking exercises, India and Australia have condemned attempts to use cyberspace and cyber-enabled technologies to undermine international peace and stability as they reaffirmed their commitment to an open, secure, free, peaceful and interoperable cyberspace and technologies that adhere to international law. The foreign ministers of India and Australia during their dialogue in Melbourne on Saturday have recognized cooperation in the areas of cyber governance, cyber security, capacity building, innovation, digital economy, and cyber and critical technologies as an essential pillar of the India-Australia relationship.
The ministers also agreed to undertake joint engagement with Indo-Pacific partners to collaboratively improve the region's cyber capabilities to promote a resilient and trusted cyberspace and effective incident response. In this respect, the Centre of Excellence for Critical and Emerging Technology Policy, to be located in Bengaluru, demonstrates both countries' long-term commitment to bilateral cooperation in cyber and critical technologies.
READ THE STORY: Economic Times
A QUICK LOOK:
Cambodia steps up surveillance with new internet gateway
FROM THE MEDIA: Some global experts are predicting a significant cyber attack against U.S. and UK critical infrastructure if Russia invades Ukraine. Whether it happens or not, is your organization prepared for this scenario? Warnings are pouring in from all over the world about the U.S. and U.K. domestic impacts resulting from a potential attack on Ukraine from Russia. Assuming the U.S. imposes sanctions or takes other retaliatory measures against Russia should an invasion occur, experts say that cyber attacks could be launched against U.S. and U.K. businesses and even government agencies. Regardless of whether you believe Russia will attack Ukraine over the next few months, it is important for all enterprises to prepare for this scenario. Other related cyber attack scenarios include a Chinese invasion of Taiwan.
Scenario planning for cyber attacks is the norm for smart public- and private-sector enterprises, and this type of situation is often viewed as a worst-case scenario by some, thus the reluctance to discuss it openly in the media. Nevertheless, in my opinion, it is an important topic for state and local governments to consider given the current situation with Russia and Ukraine. This article from James Lewis at the Center for Strategic and International Studies (CSIS) earlier this month provides some good background and context on “Russia and the Threat of Massive Cyberattack.”
In addition, the Cybersecurity and Infrastructure Security Agency (CISA) released this important alert in January, and I published this blog on the topic last month, saying to pay attention.
A QUICK LOOK:
How China’s cybersecurity laws could backfire
FROM THE MEDIA: The next target for China’s cybersecurity crackdown will be the pools of data collected by the latest generation of cars. This approach risks Beijing shooting itself in the foot, and jeopardizing its ambitious plans to lead the global race for electric and autonomous vehicles. China wants to have control over the information cars have about their drivers, the roads they traverse and the faces and voices they pass, according to a draft law on data-security management for the automotive industry first issued in May. It seeks to ensure manufacturers across the auto supply chain keep data in the country and pass a government security evaluation if it’s sent overseas. Operators that process personal information of more than 100,000 individuals, or what preliminary rules have broadly defined as “important data,” are required to report it to regulators, provincial governments and a host of other official bodies. The rules apply to almost every situation in which people find themselves in or near a car, creating a host of ambiguities. China’s move to protect privacy and put boundaries around data makes sense. However, in the current form, the rules do more to restrict innovation, creating an enormous burden on companies for the sake of regulation and undermining the progress Beijing — and global firms operating in the world’s largest auto market — have made within the industry. State planners have been aggressive in pushing electric cars and other future-forward technology. After eliminating restrictions on foreign ownership in its EV market a few years ago, China made significant headway on road rules for autonomous driving and put in place policies that were bolder than almost anywhere else in the world. Subsides have been strategically battery allocated, pruned and targeted toward infrastructure and better charging — both key to getting ahead.
READ THE STORY: HRC-JPN
A QUICK LOOK:
Biden Administration Seeks To Bolster Defenses Against Cyberattacks On Water Systems
FROM THE MEDIA: A new initiative announced by the Biden administration is designed to help bolster the country’s defenses against possible cyberattacks on the country’s 150,000 public water systems that serve 300 million Americans. According to a White House fact sheet, the Water Sector Action plan outlines actions that will take place over the next 100 days to improve the cybersecurity of the water sector. It noted that, “the incidents at Colonial Pipeline, JBS Foods, and other high-profile critical infrastructure providers are an important reminder that the federal government has limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure.” Similar to electric and pipeline action plans, the White House said the new plan will assist owners and operators with deploying technology that will monitor their systems and provide near real-time situational awareness and warnings. The plan will also allow for rapidly sharing relevant cybersecurity information with the government and other stakeholders, which will improve the sector’s ability to detect malicious activity.
READ THE STORY: Forbes
A QUICK LOOK:
Using mobile networks for cyber attacks as part of a warfare strategy
FROM THE MEDIA: AdaptiveMobile Security published a research which highlights how vulnerabilities in mobile network infrastructure could be weaponized in offensive military operations. Setting out how the combination of military and mobile telecom-enabled targeting capabilities can create a battlefield advantage; the paper illustrates the consistency of such a model with the concept of hybrid warfare. It was observed that a mobile network threat actor designated as ‘HiddenArt’ actively sustains a capacity to remotely access the personal devices of targeted individuals around the world on an ongoing basis. Since detecting this threat actor, periodic reconnaissance activities were observed in at least 7 target mobile networks around the world and given the wide geographic distribution of these targeted mobile operators, it is probable that the threat actor is active on a global scale. “Malicious mobile network signalling attacks must be recognized as a state-level cyber threat to individual nations as well as to collective security, and an integral component of hybrid warfare”, says Cathal McDaid, CTO, AdaptiveMobile Security.
READ THE STORY: Help Net Security
A QUICK LOOK:
Adobe Releases Emergency Patch for Exploited Commerce Zero-Day
FROM THE MEDIA: Adobe released an emergency advisory on Sunday to inform Commerce and Magento users of a critical zero-day vulnerability that has been exploited in attacks. The flaw, tracked as CVE-2022-24086 and assigned a CVSS score of 9.8, has been described as an improper input validation issue that can lead to arbitrary code execution. Adobe says the vulnerability can be exploited without authentication. The security hole affects the Magento open source and Adobe Commerce e-commerce platforms, specifically versions 2.4.3-p1 and earlier and 2.3.7-p2 and earlier. Adobe has developed patches, which are delivered as MDVA-43395_EE_2.4.3-p1_v1. The software giant says “CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” No other information has been provided about the attacks and Adobe has not credited anyone for reporting the vulnerability. Adobe told SecurityWeek that it cannot share additional details about the vulnerability to protect the security and privacy of its customers.
READ THE STORY: Security Week
A QUICK LOOK:
How to Social Engineer Your Way Into Bitfinex
FROM THE MEDIA: Let’s flash back to 2019, when the New York-city couple gave a talk entitled “How to Social Engineer Your Way Into Anything” at NYC Salon. During the half hour talk Morgan offers examples of powerful social engineering and infiltration techniques that can be used to manipulate someone into divulging information or taking action that ‘they otherwise would not’. Despite the goofy awkwardness of her rapper alter-ego Razzlekhan, Morgan is in fact, a skilled and lucid orator. Her talk delights the New York audience who at several points break into spontaneous laughter or applause. Is it possible that Morgan’s social engineering nous offer some clue as to how these funds were acquired in the first place? It’s a theory that Eric Wall, Chief Investment Officer at Arcane Assets certainly prescribes to. In a Twitter thread on Wednesday, Wall speculated that the reason the precise nature of the Bitfinex exploit was never made public could be because the circumstances of the theft were ‘embarrassing’.
READ THE STORY: Be In Crypto
A QUICK LOOK:
Beware of deepfakes, catfishing, social engineering this Valentine’s Day
FROM THE MEDIA: Finding love online might be a risky prospect due to scammers and catfishing. This arena has grown even more dangerously with the emergence of deepfakes. According to FortiGuard Labs’ Cyber Threat Predictions for 2022, deepfakes are a growing concern because they use AI to mimic humans and can be used to enhance social engineering attacks. Doros Hadjizenonos, Regional Director at Fortinet, Southern Africa, says confident tricksters have been defrauding victims for generations, but the emergence of ever more sophisticated technology is enabling them to do so faster, in greater numbers and at lower risk to themselves. “Attackers are even more likely to strike at romance-focused times like Valentine’s Day,” he says. Romance scams usually involve a cyber criminal developing a relationship with the victim to gain a victim’s affection and trust and then using the close relationship to manipulate and steal from the victim. Some also request intimate photos and videos and later use these to extort money. The scams are rife around the world, and the US Federal Trade Commission (FTC) reports that individuals lose more money on romance scams than on any other fraud type. Indeed, in 2020, reported losses to romance scams in the US reached a record $304 million, up about 50% from 2019. No country is immune: just a few months ago, eight people were arrested in South Africa in connection with romance scams in which over 100 victims around the world lost over R100 million.
READ THE STORY: itweb
A QUICK LOOK:
Items of interest
Bounty Everything: Hackers and the Making of the Global Bug Marketplace(Paper)
FROM THE MEDIA: In Bounty Everything: Hackers and the Making of the Global Bug Marketplace, researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in “bug bounty” programs—programs that hire hackers to discover and report bugs or other vulnerabilities in their systems. This report illuminates the risks and insecurities for hackers as gig workers, and how bounty programs rely on vulnerable workers to fix their vulnerable systems.
Ellis and Stevens’s research offers a historical overview of bounty programs and an analysis of contemporary bug bounty platforms—the new intermediaries that now structure the vast majority of bounty work. The report draws directly from interviews with hackers, who recount that bounty programs seem willing to integrate a diverse workforce in their practices, but only on terms that deny them the job security and access enjoyed by core security workforces. These inequities go far beyond the difference experienced by temporary and permanent employees at companies such as Google and Apple, contend the authors. The global bug bounty workforce is doing piecework—they are paid for each bug, and the conditions under which a bug is paid vary greatly from one company to the next. Bounty Everything offers to reimagine how bounty programs can better serve the interests of both computer security and the workers that protect our digital world. Ellis & Stevens argue that if bounty programs are not designed and implemented properly, “this model can ironically perpetuate a world full of bugs that uses a global pool of insecure workers to prop up a business model centered on rapid iteration and perpetual beta.”
READ THE STORY: SSRN
The Next Phase in Cyber Warfare(Video)
FROM THE MEDIA: With each major technological leap forward in warfare the rules of war also change, and the new frontier of Cyber Warfare has completely thrown out the conventional concept of the first strike. With tens of thousands of cyber-attacks are occurring each day from all of the major players how prepared any nation is to be able to defend itself is now a giant question mark.
How Cyberwarfare Was Used to Control Anti-Vaxxers(Video)
FROM THE MEDIA: Nicole Perlroth is an award-winning cybersecurity journalist for The New York Times and bestselling author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at firstname.lastname@example.org