The IT Privacy and Security Weekly Update Plays Ball for the week ending October 17th. 202310/17/2023 Episode 161. In this week’s IT Privacy and Security weekly update... On first base is an exciting new use case for AI that will leave you feeling great! On second is an update on the largest DDoS attack ever, what it is and what it could mean to you. Third at bat the US pitches a plan for other countries to adopt a policy of no payments for ransomware. - click the pic to hear the podcast- Back at home plate we have the newest trend in malware; browser updates through infected websites. We tell you what to look out for so you don’t get hit by any foul balls. At number five, and way out in left field is concern from one mathematician that the NSA might be fouling the mix of the latest encryption protocol. Up in the bleachers at number six we have news on Open source project updates that might leave you wishing you had a better seat. And finally we tell you how to strike out Instagram to keep it from tracking you across other websites. This week all bases are loaded. Let’s go hit a home run! US/UK: AI tool forecasts new COVID variants https://www.nature.com/articles/s41586-023-06617-0 Harvard and University of Oxford researchers are harnessing AI to predict threatening new strains of COVID-19 and other viruses. The approach could prove more efficient than lab-based testing, because it doesn't rely on people becoming infected or getting vaccinated to develop antibodies. This could lead to better and quicker vaccines, including in the next pandemic. Researchers developed a generative AI model that's trained on historical viral sequences to predict ways in which the organism could mutate. They then added structural details about the virus, like regions most easily targeted by the immune system. To test its predictive power, the researchers drew on the trove of data about COVID-19 from the pandemic, and how the stealthy virus kept evolving. What they found: When presented with ancestral strains of coronavirus from before the pandemic, the tool, called EVEscape, predicted the most frequent mutations and dangerous variants of SARS-CoV-2. So what's the upshot for you? Forecasting virus mutations could help public health officials develop more effective countermeasures, potentially minimizing the human and economic toll of a pandemic. EVEscape is already being used to make predictions about other viruses, including HIV and influenza. Global: The largest DDoS attack ever https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack Distributed denial of service attacks just keep getting bigger. Backfill: What is a DDoS attack? A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination. Last week, a coalition of tech giants revealed the biggest one yet, a DDoS campaign from August that compressed a month’s worth of Wikipedia traffic into a two-minute deluge and exploited a flaw in the fundamental technology powering the Internet to do it. At its peak, the DDoS campaign described by Google, Cloudflare and Amazon AWS reached more than 398 million requests per second (RPS) — more than eight times larger than the biggest DDoS attack previously observed by Google, which clocked in at 46 million RPS, according to the firm. The new attack uses a novel method that exploits a zero-day vulnerability dubbed “HTTP/2 Rapid Reset,” which takes advantage of the protocol that manages how computers request data from websites. The DDoS attacks using the vulnerability have been ongoing since August and have targeted major infrastructure providers like Google Cloud, Cloudflare and Amazon Web Services. “The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately,” Google wrote. So what's the upshot for you? The attack was efficient. Only 20,000 botnets were used in the campaign, which is a way fewer than the typical number of infected machines used in a DDoS attack, and that's bad news for us because with millions of compromised endpoints worldwide, the actor that launched this attack is only testing potential capacity. We could start experiencing more frequent Internet outages as we roll forward US: US Plans To Push Other Countries Not to Pay Hacker Ransoms https://www.bloomberg.com/news/articles/2023-10-16/us-plans-to-push-other-countries-not-to-pay-hacker-ransoms The US is pushing a group of governments to publicly commit to not make ransom payments to hackers ahead of an annual meeting of more than 45 nations in Washington later this month. Anne Neuberger, deputy national security adviser, told Bloomberg News that she is "incredibly hopeful" about enlisting support for such a statement but acknowledged it's a "hard policy decision." If members can't agree to the statement in advance of the meeting, then it will be included as a discussion point, she said. The aim of the statement is to change that calculus, Neuberger said. "Ransom payments are what's driving ransomware," she said. "That's the reason we think it's so needed." So what's the upshot for you? We think the "all or none" is a good approach, but the pain will be felt getting there. As other companies have discovered, it's possible to spend millions on post ransomware remediation where paying up might have offered a less costly solution for the near term. The important point here is that initially a move like this will drive "hackers" from areas where no payment is made to those where it is. Once this initiative takes hold, you don't want to be the last one standing with the "I'll pay." target on your back. Global: Watch Out: Attackers Are Hiding Malware in 'Browser Updates' https://www.darkreading.com/threat-intelligence/watch-out-attackers-hiding-malware-browser-updates Threat actors are employing sophisticated tactics in the realm of cybersecurity, exploiting unsuspecting users by concealing malware within counterfeit browser updates. These threat clusters generally follow a uniform script. They exploit weak points in legitimate websites, implanting their malicious JavaScript code. The method exhibits a high degree of opportunism, affecting various sectors, including media, sports associations, and software companies. The attackers' script operates seamlessly alongside the website's regular content, aiming to redirect traffic to a domain controlled by the attackers. Users are then lured into downloading malware under the guise of a legitimate browser update. To evade falling prey to such tactics, individuals are advised to stay vigilant. Recognizing deviations from the typical behavior of trusted websites and browsers can serve as a warning sign. Spotting these irregularities can help users distinguish real updates from fraudulent ones. While challenging to identify, remaining up-to-date with cybersecurity measures, including regular browser updates, remains crucial in the ongoing battle against cyber threats. So what's the upshot for you? "Nine times out of 10, I'll go to my kid's soccer league website and see: okay, we've got a match against some other school on Wednesday, and nothing happens. And then one time, all of a sudden, I'm redirected to a page that says I'm using an old version of Chrome, click this button to update. That difference in pattern should be the trigger," says Daniel Blackford, senior manager of threat research at Proofpoint US: Mathematician Warns US Spies May Be Weakening Next-Gen Encryption https://www.newscientist.com/article/2396510-mathematician-warns-us-spies-may-be-weakening-next-gen-encryption/ A prominent cryptography expert has told New Scientist that a US spy agency could be weakening a new generation of algorithms designed to protect against hackers equipped with quantum computers. Daniel Bernstein at the University of Illinois Chicago says that the US National Institute of Standards and Technology (NIST) is deliberately obscuring the level of involvement the US National Security Agency (NSA) has in developing new encryption standards for "post-quantum cryptography" (PQC). He also believes that NIST has made errors -- either accidental or deliberate -- in calculations describing the security of the new standards. NIST denies the claims. Bernstein alleges that NIST's calculations for one of the upcoming PQC standards, Kyber512, are "glaringly wrong," making it appear more secure than it really is. He says that NIST multiplied two numbers together when it would have been more correct to add them, resulting in an artificially high assessment of Kyber512's robustness to attack. "We disagree with his analysis," says Dustin Moody at NIST. "It's a question for which there isn't scientific certainty and intelligent people can have different views. "We respect Dan's opinion, but don't agree with what he says." Moody says that Kyber512 meets NIST's "level one" security criteria, which makes it at least as hard to break as a commonly used existing algorithm, AES-128. That said, NIST recommends that, in practice, people should use a stronger version, Kyber768, which Moody says was a suggestion from the algorithm's developers. NIST is currently in a period of public consultation and hopes to reveal the final standards for PQC algorithms next year so that organizations can begin to adopt them. The Kyber algorithm seems likely to make the cut as it has already progressed through several layers of selection. Given its secretive nature, it is difficult to say for sure whether or not the NSA has influenced the PQC standards, but there have long been suggestions and rumors that the agency deliberately weakens encryption algorithms. So what's the upshot for you? In 2013, The New York Times reported that the NSA had a budget of $250 million for the backdoor task, and intelligence agency documents leaked by Edward Snowden in the same year contained references to the NSA deliberately placing a backdoor in a cryptography algorithm, although that algorithm was later dropped from official standards. Global: Report Finds Few Open Source Projects are Actively Maintained https://www.infoworld.com/article/3708630/report-finds-few-open-source-projects-actively-maintained.html "A recent analysis accounting for nearly 1.2 million open source software projects primarily across four major ecosystems found that only about 11% of projects were actively maintained." In its 9th Annual State of the Software Supply Chain report, published a couple weeks ago, software supply chain management company Sonatype assessed 1,176,407 projects and reported an 18% decline this year in actively maintained projects. Just 11% of projects — 118,028 — were receiving active maintenance. According to the report, 18.6% of Java and JavaScript projects that were being maintained in 2022 are no longer being maintained today. Other interesting findings: - Nearly 10% of respondants reported security breaches due to open source vulnerabilities in the past 12 months. - Use of AI and machine learning software components within corporate environments has surged 135% over the last year. So what's the upshot for you? One of the most interesting points made in the report is the amount of responsibility on the developers to import good code and libraries. Many devs. download because a package is popular, not because it is maintained or vulnerability free … and that's what you would expect. Global: Now you can stop Instagram tracking you across the Web https://www.theverge.com/2023/10/17/23921095/meta-disconnect-data-websites-send-to-instagram https://about.fb.com/news/2023/10/manage-your-information-across-apps/ The ability to block tracking across other websites and apps already exists on Facebook, but Meta only announced its coming to Instagram today. Users can find the setting in the Accounts Center page, which will display Meta profiles across apps, like someone’s separate Facebook and Instagram pages. From here, it’s possible to see which businesses are sending Meta data about a user, disconnect ones as they wish, and clear this data for their profiles. This is also where Instagram and Facebook users can download what information Meta has on their accounts. This is located in the Settings menu for both the Instagram and Facebook apps and on the latter’s spin-off chat app, Messenger. This data is typically used to serve personalized ads to profiles based on the information the app collects about a user, both on that site and across the web. Meta has faced substantial criticism over the years regarding how it tracks user data, allowing certain users to see certain ads, and how all of these elements have been used for allegedly malicious purposes. Further, legislation in the E.U. has spurred closer inspection of Meta’s practices — and led to the company getting slapped with several fines. So what's the upshot for you? Meta didn't disclose whether these features will come to its other services, like WhatsApp or Threads. - click the pic to hear the podcast - So in summary today’s ballgame started with a new AI use case called EveScape that that could direct the preparation of vaccines for the latest Covid variants, influenza and even HIV. On second base we found details of the largest DDoS attack ever, what it was and what it could mean for the future of our Internet connectivity. Our third story provided some insight into the US’ plans to pitch other countries to adopt a policy of no payments for ransomware and why you might not want to be the last player in that game. Back at home plate we had the newest trend in malware; browser updates through infected websites. We told you the simple way to keep this in the dugout and all your sensitive data safe. In our fifth update we shared one mathematician’s concern that the NSA might be pushing NIST to build a backdoor into their new encryption standard. Up in the bleachers at number six we learned about the dwindling support for important open source projects. And finally we struck out Instagram tracking by turning it off! We loved this direct and to the point quote of the week from Thomas Edison - "There’s a way to do it better. Find it." That’s it for this week. Stay safe, stay secure, please pass the Cracker Jacks and…. we’ll see you in se7en!
Babe R.
10/17/2023 08:42:33 pm
Hey batter, batter, swing!
Reply
Leave a Reply. |