UK high street retailer The Works has shut some of its stores following a “cyber security incident” which saw hackers gain unauthorised access to its systems.
Read more in my article on the Hot for Security blog.
SASE platform provider Cato Networks has introduced a new risk-based application access control for combatting security threats and productivity challenges posed by remote working and bring your own device (BYOD). The vendor said that with its new control, enterprise policies can consider real-time device context when restricting access to capabilities within corporate applications, as well as internet and cloud resources. The announcement comes amid calls from global governments for organizations to assess and improve their cybersecurity defenses in response to ongoing military and cyber tensions surrounding the Russia-Ukraine conflict.
In today’s threat landscape, user identity alone is not sufficient for zero-trust network access (ZTNA) or BYOD risk assessment, Cato stated in a press release. Identity spoofing and rogue personal devices pose significant security threats, and so an enforcement solution with contextual awareness to balance user productivity with risk mitigation is required, it added.
Brian Krebs has a detailed post about hackers using fake police data requests to trick companies into handing over data.
Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.
But in certain circumstances – such as a case involving imminent harm or death – an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.
It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.
In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR -- and potentially having someone’s blood on their hands -- or possibly leaking a customer record to the wrong person.
Another article claims that both Apple and Facebook (or Meta, or whatever they want to be called now) fell for this scam.
We allude to this kind of risk in our 2015 “Keys Under Doormats” paper:
Third, exceptional access would create concentrated targets that could attract bad actors. Security credentials that unlock the data would have to be retained by the platform provider, law enforcement agencies, or some other trusted third party. If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege. Moreover, law enforcement’s stated need for rapid access to data would make it impractical to store keys offline or split keys among multiple keyholders, as security engineers would normally do with extremely high-value credentials.
The “credentials” are even more insecure than we could have imagined: access to an email address. And the data, of course, isn’t very secure. But imagine how this kind of thing could be abused with a law enforcement encryption backdoor.
Photo by Adi Goldstein on Unsplash
This blog was written by an independent guest blogger.
The technical infrastructure of video games requires a significant level of access to private data, whether through client-server side interactions or financial data. This has led to what Computer Weekly describes as a ‘relentless’ attack on the video game industry, with attacks against game hosts and customer credentials rising 224% in 2021. There are several techniques to managing a personal online presence in a way that deters cyber attacks, but the ever-broadening range of games and communication tools used to support gaming communities means these threats are only increasing, and are starting to affect games played in single-player.
Gaming hacks and exploits are nothing new. There has long been a industry around compromising game code integrity and releasing games for free, and within those games distributing malicious software to breach private user details and deploy them for the gain of the hacker. These have become less common in recent years due to awareness over online data hygiene, but the risks do remain.
In July, NintendoLife highlighted one particularly notorious hack of the Legend of Zelda series that was sold, unlawfully, and earned the creator over $87,000 in revenue. This exploit showed a common route towards tricking customers – deception. Zelda has a notably strong community where fans help each other out, both in learning the game and defending against common exploits; this is why the malicious actor in question was discovered, and why no further harm was done, but it remains a risk. Awareness is often key in avoiding attempted cyber attacks.
Video games have become increasingly merged with web services and this, too, is raising the risk of attack. According to CISO mag, a majority of the attacks targeting video game services were conducted via SQL injection, a popular form of web service attack that attempts to breach databases. This, in turn, can result in the extraction of private customer details and financial information.
Games have previously sought to use their own platforms for registration and payments. However, in recent years, and especially with the growth of gaming platforms – such as Battle.net, Steam and EA Origin – user account details are made more vulnerable through their hosting via web services. This is a worrying development when considering the ultimate interface of video gaming, web services, and virtual reality – the up-and-coming Metaverse.
The Metaverse is a descriptor for an interlinked series of digital worlds that will come together into one VR-powered reality. Pioneered most recently by Mark Zuckerberg and his Meta company, it is considered the future of communication and casual video gaming. According to Hacker Noon, the Metaverse is at unique risk of being subjected to serious cyber attacks.
The Metaverse is unique in that it will require digital currencies to operate. It is envisioned as a world within a world – not simply a service you pay for and then access, but an area where you will actively live and play. That means persistent financial data and constant access to privileged private information. Furthermore, individuals play themselves in the Metaverse; not a created character. One successful attack could claim a significant amount of data from any single user of the Metaverse, making it the ideal target for a new generation of cyber attacks.
In short, the protections that will come up for the Metaverse need to be absolutely world-class. Collaboration is required, and a strong culture of individual diligence and digital hygiene, too. Putting these principles in place today will help to protect the Metaverse before it really gets big, and protect video gamers too.
I don’t know how many times I’ve heard cybersecurity professionals say something like, “Not having multi-factor authentication is a huge risk for our organization.” The truth is, that type of statement may illustrate a control weakness, but unless the unwanted outcome is a ding in an audit report where MFA is required, that is not the real risk. The real risk is the probability of a ransomware incident, for example, or the leak of personally identifiable information (PII) from a customer database.
For enterprises, risk lay in the potential losses associated with unwanted outcomes incurred through their computing environments. (The cybersecurity piece of this typically focuses on incidents where these outcomes were caused by an intelligent adversary.) A simple way to think about unwanted outcomes is to consider the ways we might fail to meet one or more of our control objectives – confidentiality, integrity, availability, or other objectives – and experience one of the aforementioned incidents, among others.
As management guru Peter Drucker famously said: ‘You can’t manage what you can’t measure.’ That’s certainly true when it comes to security hygiene and posture management. Organizations must know what assets are deployed on the external/internal attack surface, understand the state of these assets, identify exposures, prioritize remediation actions based on risk, and work with IT operations on continuous risk mitigation.
This is made more challenging as the attack surface grows larger and more complex each day, demanding new requirements for data collection, processing, and analysis along with process automation. Unfortunately, these changes aren’t really happening—or at least not quickly enough. Security pros continue to approach security hygiene and posture management using point tools, aggregating data into static spreadsheets, relying on manual processes, and working haphazardly with their IT operations colleagues.
A botnet is a collection of internet-connected devices that an attacker has compromised to carry out DDoS attacks and other tasks as a swarm. The idea is that each computer becomes a mindless robot in a larger network of identical robots, which gives the word botnet its meaning.
“Malware infects an unsuspecting, legitimate computer, which communicates back to the botnet operator that the infected computer is now ready to follow orders blindly,” explains Nasser Fattah, North America Steering Committee Chair at Shared Assessments. “All of this is happening unbeknownst to the owner of the computer. The goal is to grow the size of the botnet, which collectively can automate and expedite large attacks.”
