Tietoturva-aiheisia huomioita vuodelta 2021 (kesästä syksyyn).

DOD looks for answers on GPS data spoofing

"You can have the greatest war machine ever put to sea, but somehow it gets some misinformation -- not a critical hack or something to the machine itself, but something that supplies the machine information -- that could really throw it off vector. That's what I worry about." (Defence Systems)

Hackers Attack When Communities Are Most Vulnerable

Muscatatuck is the Department of Defense's largest urban training facility. It is a "real" city that includes a built physical infrastructure, including a water distribution and pump station with multiple active supervisory control and data acquisition (SCADA) systems, 3G and 4G meshed networks, IoT testing grounds, a hospital, and even a U.S. "embassy." It is an ideal place to run realistic training and testing scenarios in the event of a cyber event and see firsthand how defenses hold up. (Government Technology)

Disinformation Threatens to Be Regular Part of Elections

"The problem is this isn't really about voter fraud or what an official is saying, or a candidate is saying," she said. "But we're seeing the effects of years and years of people living in different silos, different worlds with different facts. It's beyond what your board of elections can do." (Government Technology)

‘Any Alaskan' Could Have Been Impacted by Health Data Breach

"When this went down, Health and Social Service employees had to revert back to manual analog processes. And that is a very tedious thing. Because whatever work we do get done now and process via paperwork, when the system is back up, it has to be re-logged digitally. And so this is going to be a burden of doing the work two to three times as much," Crum said. (Government Technology)

The Path to Fairer AI Starts With Audits, Standards

AI can deliver newfound efficiencies, extract meaning from troves of data and deliver a variety of other benefits, but the complexity, opacity and lack of foresight in some of these systems means they can be designed, implemented or evolve in ways that produce biased and discriminatory effects. Without strong measures to catch and correct these issues, serious harms can occur.

These risks are especially steep for AI systems used to impact decisions about social support benefits or mortgage application approvals, criminal justice sentencing and other areas where mistakes can threaten people's well-being.

Machine learning tools are also designed to continually improve, which means that a system that started out as low-risk could later become high-risk, warned Sharkey. A simple tool leveraged for mundane tasks may become more complicated over time and used to influence more impactful decisions. (Government Technology)

People Don't Realize They're Data Breach Victims

"It could be that some of the breached services were considered ‘not important' because the breached account did not contain sensitive information. However, low concern about a breach may also be explained by people not fully considering or being aware of how leaked personal information could potentially be misused and harm them," (Nextgov)

New Laws Are ‘Probably Needed' to Force US Firms to Patch Known Cyber Vulnerabilities, NSA Official Says

Emerging technologies like artificial intelligence will only exacerbate the problem, said Joyce. While there's little evidence so far that AI will help attackers launch difficult campaigns against well-defended targets, the use of AI to scroll through databases of known attacks, and possible victims, is already established tradecraft. He expects the use of AI by low-level criminal groups mounting unsophisticated attacks to grow. (Nextgov)

Examining threats to device security in the hybrid workplace

One of the best ways to teach more secure practices is to encourage automatic behaviors, but this becomes much harder when employees no longer have a single working pattern. At the same time they'll be carrying around mobile devices, connecting on the road and potentially even transporting sensitive paper documents. (WeLiveSecurity)

Cybersecurity agencies reveal most exploited vulnerabilities in the past two years

"The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching." the advisory reads.(WeLiveSecurity)

How corporate data and secrets leak from GitHub repositories

The experiment showed him that threat actors are constantly scanning GitHub and other public code repositories looking for sensitive data developers leave behind. The volume of secrets, including usernames, passwords, Google keys, development tools, or private keys, keeps rising as companies transition from on-premises software to the cloud and more developers work from home. (CSO)

Why today's cybersecurity threats are more dangerous

"When you look at the criminals, I think probably 20 years ago they had to be very technical." Now the barriers to cybercrime entry are low and cybercrime is becoming a service. Moreover, unlike in the past, more nation-states are entering the cybercrime arena. (CSO)

Why code reuse is still a security nightmare

Vulnerabilities inherited from third-party code have plagued applications for years, but in the age of government-sponsored software supply chain attacks, the problem is more relevant than ever. Software composition analysis tools can help uncover some of these risks, but subtle dependency blindspots still exist that make it hard for even security-conscious developers to catch all inherited flaws.

In order to discover all vulnerabilities, developers need to track not only which components they use in their own applications, but also the third-party libraries and packages those components are based on. The dependency chains can go many layers deep. (CSO)

Cybercriminals See Bountiful Harvest in Food Supply Chain

Industrial firms should also keep their information and operations systems separate and recognize that even separate systems can cause disruptions within scope of the other. The attack on oil and gas transport network Colonial Pipeline, for example, did not reach its operational network but disrupted the billing system. In effect, the company could still deliver gas but could no longer determine who bought how much. (Dark Reading)

FDA: How to Inform Patients About Medical Device Cyber Flaws

The FDA notes that in some cases, it may not be possible for patients to take action to mitigate risks posed by medical device vulnerabilities. "An update to their device may not yet exist, or they may need to wait for the medical device manufacturer, healthcare provider, or other party to take some action first," the agency says. (Data Breach Today)

Police Crack Multimillion-Dollar Real Estate Fraud Gang

Overall, 130 suspects were identified and 116 searches conducted. The group is estimated to have caused losses of around €3.5m ($4m) for over 470 victims.

The fraud gang worked by posting fake ads for properties up for sale or rent — tricking victims into sending deposit money and rent. The OGC also remotely hacked some victims' PCs, stole financial details and carried out transactions without their knowledge, Europol claimed. (Dark Reading)

Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

"Candiru's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers said. "This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services." (The Hacker News)

Iranian Hackers Posing as Scholars Target Professors and Writers in Middle-East

On a high level, the attack chain involved the threat actor posing as British scholars to a group of highly selective victims in an attempt to entice the target into clicking on a registration link to an online conference that's engineered to capture a variety of credentials from Google, Microsoft, Facebook, and Yahoo. (The Hacker News)

Coders update to the wrong version 69% of the time

The objective priorities are avoiding experimental releases of new libraries that are not tested in the real world, choosing the newest version of a library if multiple versions are published in quick succession, avoiding libraries that have known vulnerabilities, if avoiding known vulnerabilities is impossible, updating to the least vulnerable version. (SC Media)

Hackers Turning to 'Exotic' Programming Languages for Malware Development

Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems. (The Hacker News)

Remote employees find workarounds to company security policies, say 52% of tech leaders in study

The study found employees were most resistant to complying with multi-factor authentication, mobile device management, and password managers, making it difficult for organizations to ensure all their employees are fully and securely authenticated, leaving companies vulnerable to attacks. (SC Media)