iStockphoto/Getty Images Sometimes you might want to save something to your password manager other than login credentials. Good password managers allow you to save other types of information, such as identities, credit cards, and even notes. More how-tos That’s right, and Bitwarden is no stranger to secure notes. In fact, the tool has a feature […] More
Image: Getty The Department of Justice (DoJ) has been authorized to seize 48 internet domains and has laid criminal charges against six individuals who allegedly ran distributed denial of service (DDoS) or “booter” or “stresser” services from the US. The FBI is seizing the 48 domains that facilitated DDoS attacks for paying customers against targeted […] More
Image: Getty Security firms have reported that multiple hacking groups have been using drivers signed by Microsoft in a series of attacks, including the deployment of Cuba ransomware. That development matters because many security services will implicitly trust anything signed by Microsoft, During this month’s Patch Tuesday, Microsoft acknowledged reports by SentinelOne, Google-owned Mandiant, and […] More
Besides ushering in the revolution of smartphones, 3G has played a foundational role in the navigation and alarm-based systems that we rely on during our everyday commutes. With the institution of faster and more reliable 5G, roadside assistance and emergency crash alerts are among the many network-based features that will be affected by the shutting down of 3G. Many cars also have an emergency SOS button that, when pressed, dials first responders via 3G. That, too, will lose functionality. Vehicles from popular automakers like Toyota, Lexus, Nissan, Hyundai, Dodge, and more released before 2019 are susceptible to the issues mentioned above. The main reason that newer models still carry 3G receivers, according to Roger Lanctot, director of automotive connected mobility at Strategy Analytics, is for automakers to save on manufacturing costs. Also: The best affordable EVsTo stay ahead of the curve, you’ll want to ensure that your car supports or can receive hardware upgrades to connect to 4G. As with smartphones, your best bet to stay in the know is by consulting with your local car dealer. While the modification may come in the form of downloadable software or physical spare parts, it will help to keep your vehicle up-to-date and functioning — especially during times of danger. More
Image: Getty/Zhang Peng Apple has released iOS 16.2, the latest software update for iPhone and iPad, which fixes multiple security vulnerabilities, including several that could allow cyber attackers to run commands and take control of devices. iOS 16.2 and iPadOS 16.2 contain several new features for iPhone and iPad users, but alongside those are the […] More
China has laid out ground rules to prevent “deep synthesis” technology, including deepfakes and virtual reality, from being abused. Anyone using these services must label the images accordingly and refrain from tapping the technology for activities that breach local regulations. Cyberspace Administration of China, Ministry of Industry and Information Technology, and Ministry of Public Security released a joint statement mandating the use of deep synthesis technology and services must be clearly indicated, so these are not mistaken to represent real information. To be effective from January 10 next year, the new rules aim to protect national security and the country’s core social values, as well as safeguard the rights and interests of citizens and organisations, said the government agencies. They noted that while synthesis technology had improved user experience, it also was used to impersonate identifies and disseminate false and harmful information that tarnish victims’ reputation. This endangered national security and social stability. They added that regulations were necessary to mitigate such risks and drive the “healthy” development of new technology. The ground rules also would standardise the development of deep synthesis services and ensure these were in line with the country’s other related regulations, including data security and personal information protection laws. The new rules will apply to technology that use deep learning, virtual reality, and other synthetic algorithms to create text, images, video, audio, and virtual scenes, including text-to-speech, voice editing, gesture manipulation, digital simulation, and 3D reconstruction. Apart from not using deep synthesis services to produce and disseminate information prohibited by local laws, the new regulations also outline the need to implement a real identity data authentication system as well as other management systems, such as user registration, algorithm mechanism review, data security, emergency response, and ethics review. In addition, safety technical measures must be established. These management rules and service agreements must be disclosed. Users also will have to put in place mechanisms to address rumours in a timely manner, should the use of deep synthesis services be used to publish or disseminate false information. The relevant government agencies will need to be notified, too. RELATED COVERAGE More
All critical information infrastructures (CIIs) in Singapore must continuously transform to keep up with the changing threat landscape and this means going beyond “generic” cybersecurity practices. It requires a strong focus on operational technology (OT) security, encompassing the right skillsets and OT-specific cybersecurity practices for CII operators. Singapore last year tweaked its cybersecurity strategy to emphasise OT and provided guidelines on the skillsets and technical competencies OT organisations needed. The country defines OT systems to include industrial control, building management, and traffic light control systems that monitor or change the physical state of a system, such as railway systems. Cyber Security Agency of Singapore (CSA) has pushed the need for CII operators to beef up the cybersecurity of OT systems, where attacks could pose physical and economic risks. The need for efficiencies and functionalities had fuelled the convergence of IT and OT systems, the latter of which were traditionally designed as standalone infrastructures and not connected to external networks or the internet. No longer operating in such air-gapped environments, OT systems now run on a wider attack surface and are open to potential cyber attacks that can have real-world impact. Asked which CII sectors most needed cybersecurity transformation, CSA noted that as the threat landscape was constantly evolving, every CII sector should continuously “adapt and transform” their processes to combat existing as well as emerging threats. CII industries vary in size, function, and reliance on technology, all of which shape their respective cybersecurity strategies, the CSA spokesperson told ZDNET. He added that some sectors tapped OT and IT alongside IoT (Internet of Things), and this not only introduced additional industry-specific challenges, but also further increased the surface area that had to be protected against cyber threats. According to Keith Lunden, manager of analysis at Google’s Mandiant Intelligence, compared to IT assets, OT assets had experienced very limited amount of threat activities, primarily due to traditional air-gaps and internal network segmentation that minimised mainstream malware incidents. “However, this also served to minimise drivers of OT cybersecurity efforts, [so] instead of threat activities, regulatory requirements have been the primary driver of OT security efforts,” Lunden noted. “Correspondingly, unregulated industries such as water and wastewater, are most in need of transformation.”He added that these industries should develop risk-based cybersecurity countermeasures based on industry standards.Group-IB’s founder and CEO Dmitry Volkov also underscored the need for all CII sectors to constantly improve their cybersecurity posture, as their ability to operate without interruptions was critical to national security. He said sectors including healthcare, transportation, and government were frequent targets, pointing to how a ransomware attack had prompted the Costa Rica government to declare a state of emergency for the first time in April. Hackers had exfiltrated more than a terabyte of data, breaching 27 ministries in the attack. Building automation and oil and gas sectors also see high percentages of ICS (industrial control system) computers where malicious objects are blocked, according to Vitaly Kamluk, Kaspersky’s Asia-Pacific director for global research and analysis. The block rates for these industries continued to be above the global average, Kamluk said, noting that a higher usage of online resources and email amongst companies in building automation might have resulted in the sector leading others in the variety of malware attacks blocked. Lunden said cybercriminals had made significant advances in operational tradecraft in the last several years, with ransomware emerging as an effective business model and resulting in a large number of security incidents impacting critical infrastructures, often including OT environments.Pointing to state-sponsored attacks, he said Mandiant continued to see adversaries keen to exploit insecure by-design features of OT. “[These] aimed to maliciously leverage the native functionality of OT devices, rather than exploit vulnerabilities in these systems,” he noted. “As a result, we expect state-sponsored malware targeting these features of OT to remain a threat for the foreseeable future, as it is much more difficult to redesign these devices, rather than simply patch vulnerabilities in them.”Supply chains heighten potential OT threatIn addition, supply chains in some OT sectors, such as manufacturing and maritime, typically are expansive and involve multiple parties. And it can prove challenging to secure supply chains, CSA said, noting that organisations take on unknown cyber risks from third-party vendors since they do not have full visibility of their supply chain. “Organisations can only be as strong as their weakest link,” the spokesperson said. He pointed to CSA’s CII Supply Chain programme, which outlines five foundational initiatives to help these sectors address cyber supply chain challenges across different layers, including organisation, sectoral, national, and international. The programme includes a toolkit, handbook, certification scheme, and learning hub. In particular, all CII and OT sectors should improve their visibility since organisations would not be able to secure and defend assets they did not know existed, said Fabio Fratucello, CTO of CrowdStrike Asia-Pacific Japan. Without visibility, they also had no threat detection or protection against adversaries who would work to locate blind spots, Fratucello said. To address such challenges, he said CrowdStrike had introduced its Falcon Discovery for IoT to help customers understand interconnected relationships between their IT, OT, and IoT assets, and mitigate potential risks across these environments. “Once organisations have a deeper understanding of their attack surface, they are better equipped to make more informed, risk-based decisions by bridging the gap between OT environments and IT operations,” he noted. “It’s important for organisations to look externally as well as internally to understand security vulnerabilities. This includes risks via the supply chain, which in some industries can be an incredibly complex and lengthy chain.”Citing CrowdStrike research, he said 48% of Asia-Pacific organisations had experienced at least one supply chain attack last years, while 60% were unable to claim all their software suppliers had been vetted. To better manage their third-party ecosystems and safeguard their infrastructures, Volkov suggested OT sectors adopted isolation and segregation of IT, OT, and human processes and ensure the integrity of their infrastructure components. A threat intelligence platform also would identify potential attackers and how they were attacking OT infrastructures, he said, adding that it would indicate areas of compromise so these could be plugged and security posture improved. OT sectors should assess their suppliers’ external attack surface and work closely with their third-party suppliers to further ensure they had all the necessary security measures in place, such as an incident response team. Plugging gaps in OT securityWith demand for roles requiring competencies in IT and OT up amidst increased connectivity between both domains, CSA said it developed the OT Cybersecurity Competency Framework to offer guidelines on identifying skillsets and training for their engineers. It also maps out career paths for these engineers, the spokesperson said.The spokesperson added that CSA established the cybersecurity code of practice to set out mandatory OT-specific cybersecurity practices for CII operators. “These focus on network segmentation, patch management, detection, and continuous monitoring with the aim to reduce the probability of threat actors exploiting software vulnerabilities and gaining a foothold of OT systems,” he said. “It equips OT system owners with the know-how to mitigate emerging cyber threats more effectively.”Asked about the role of regulations in OT, he said Singapore’s Cybersecurity Act provided a framework for the designation of 11 CII sectors, while the code of practice stipulated basic standards of cybersecurity and measures these CII owners should implement to ensure their resilience. He noted that the code of practice recently was enhanced to help CIIs further strengthen their cyber resilience and defences against sophisticated cyber threats and be more agile in responding to emerging cybersecurity risks. The code review also improved coordination between the Singapore government and private sectors, so cyber threats could be uncovered and response initiated in a timely manner, the CSA spokesperson said. “Every CII sector faces cybersecurity risks that are specific to their digital terrains, such as migration to the cloud or use of 5G technologies,” he noted, stressing the importance of OT security. “Cyber hygiene practices that are generic across critical sectors would not be able to address such specific risks.”Kamluk said it was important to set industry standards requiring companies to build security foundations into their systems. While essential, however, regulations are just one component of a holistic approach to OT security. Collaboration also is key in integrating all elements within security, he said, urging organisations to band together and take a concerted approach to security as a sector. A clear roadmap provides a guiding plan everyone can work towards and this can ease friction within the sector, he added.With a plan and systems in place, there should be regular sector-specific meetings and routine maintenance. These “health checks” will ensure potential pitfalls and threats are raised early and players in the sector can recalibrate and remain resilient, Kamluk said. Volkov noted that new laws or amendments to existing ones should be “data-driven” and aim to address weaknesses identified during cybersecurity drills involving various parties. Lunden said: “Regulations need to be performance-based, rather than prescriptive. This can give OT system owners flexibility when implementing cybersecurity countermeasures. They also need to be tailored to apply to only the most critical OT assets of an organisation, as not all OT should be considered equal. “Regulators should learn from the experiences of other regulatory bodies that have improved the effectiveness of their regulations over time,” he added.In July, Singapore expanded its cybersecurity labelling programme to include medical devices, specifically, those that handle sensitive data and can communicate with other systems. Asked if the labelling scheme could be further expanded to include OT systems and applications, the CSA spokesperson said there currently were no plans to do so. He noted that the initiative aimed to provide greater transparency for consumer-facing IoT products, which OT devices were not. The latter generally performed more critical functions, such as ensuring the delivery of essential services, he said, adding that CSA offered other certification schemes such as the Common Criteria Scheme to facilitate security evaluation of IT products. RELATED COVERAGE More
By Alberto Garcia Guillen — Shutterstock Microsoft on Tuesday disclosed 56 vulnerabilities, including six critical ones and one moderate vulnerability that has been exploited. The patches released address common vulnerabilities and exposures (CVEs) in: Microsoft Windows and Windows Components; Azure; Office and Office Components; SysInternals; Microsoft Edge (Chromium-based); SharePoint Server; and the .NET framework. The […] More
