But less than a month after BIMI’s roll-out, scammers found a way around its controls and were able to successfully impersonate brands, sending emails to Google users that impersonated the logistics giant UPS.

Now Google says it is tightening its BIMI verification process and is blaming an unnamed “third-party” for allowing its services to be used in ways that bypassed its security controls and delivered spoofed messages to inboxes. Experts say email providers — including Microsoft — may still be enabling this kind of behavior and are not doing enough to address a security issue that illustrates the eye-watering complexity of the modern email ecosystem.

Security researchers argue that the way BIMI is being implemented means that malicious actors could abuse the system to more effectively impersonate well-known brands, making it much more likely end users would click on a malicious link or open a dodgy attachment as part of a phishing attack.

Phishing makes up nearly half of all social engineering attacks, leading to tens of millions of dollars in losses annually, according to the 2023 Verizon Data Breach Investigations Report. Over the years, various protocols — such as SPF, DKIM and others — have been adopted to address email sender verification, but these protocols are incomplete solutions that address different aspects of a complex problem.

Developed by an industry working group in 2018 and first adopted by Google in July 2021, BIMI was intended to provide an additional layer of email security” by displaying in Gmail the “validated logos” of brands in the program and “increasing confidence in the source of emails for recipients,” the company said in its roll-out. The idea was that BIMI would require the DMARC and SPF or DKIM email authentication standards, conveying a level of additional trust and recognition to the brand sender.

Alex Liu, a cybersecurity researcher and PhD student at the University of California San Diego who has studied the vulnerabilities of email verification protocols, said that he wasn’t surprised scammers are attacking BIMI. Throughout history, scammers are usually the first to adopt these new protocols, Liu told CyberScoop, adding that it is now up to firms like Microsoft to secure their mail servers and ensure that BIMI isn’t abused.

The dust-up over how BIMI is being implemented began with a set of tweets by Chris Plummer, a New Hampshire cybersecurity professional who described Google’s BIMI implementation as potentially “catastrophic” and that it could make users far more likely to act upon the contents of an incorrectly verified message.

“It was clear in the headers of the message I received that there was some obvious subversion, and Google was not looking far enough back in the delivery chain to see that,” Plummer told CyberScoop.

In a study published earlier this year, Liu and a group of co-authors documented how protocols meant to prevent the spoofing sender domains struggle when encountering emails that have been forwarded — which is a tool large corporations that might rely on BIMI often use to send mass emails.

Plummer discovered the problem with BIMI after noticing an email in his Gmail inbox purporting to be from UPS. Something didn’t seem right, he told a local news outlet, and Plummer determined that the email was not, in fact, from UPS. He submitted a bug report to Google on May 31, but the company “lazily” closed it as “won’t fix – intended behavior,” Plummer tweeted. “How is a scammer impersonating @UPS in such a convincing way ‘intended,’” Plummer added in the tweet that’s since been viewed nearly 155,000 times.

“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer said in a subsequent tweet. “This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn’t want to deal with this report honestly.”

The next day, after Plummer appealed, Google reversed course and notified Plummer it was taking another look at his report. “Thank you so much for pressing on for us to take a closer look at this!” the company wrote in a note, designating the bug as a “P1” priority.

“This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are,” a Google spokesperson told CyberScoop in an email Monday. “To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.”

The DKIM requirement should be fully in place by the end of the week, the Google spokesperson said, marking a change from the previous policy that required either DKIM or a separate standard — the Sender Policy Framework — both of which are used by email providers, in part, to determine whether incoming email is likely to be spam and to theoretically authenticate that a sender is who they claim to be. The spokesperson added that Google appreciated Plummer’s work to bring the problem to their attention.

After Plummer first highlighted the BIMI issue on Twitter, Jonathan Rudenberg, a security researcher, replicated the issue via Microsoft 365 by sending spoofed emails from a Microsoft email system to a Gmail account and submitted a bug report to Microsoft.

But so far, Microsoft says it is not its responsibility but Google’s to fix the problem. In its reply to Rudenberg’s bug report, Microsoft’s Security Response Center told Rudenberg that the issue did “not pose an immediate threat that requires urgent attention” and that the “burden” for ensuring safety is the end-user’s email provider which, in this case, was Google.

“While it’s true that SMTP/MX can be easily spoofed,” the company said in its response, referencing basic email protocols, “it’s the burden of the receiving mail provider to check the content and origin of messages. Any mail genuinely originating from Microsoft can be authenticated using SPF and DKIM, making this a failing of the mail service in not rejecting the message or sending it to a junk mail folder.”

Microsoft did not immediately respond to a request for comment.

The post Security professional’s tweet forces big change to Google email authentication appeared first on CyberScoop.

Several small square-shaped satellites called cubesats were strapped to the SpaceX rocket launched for a resupply mission to the International Space Station. One of those cubesats — called Moonlighter — will be used as an experimental “hacking sandbox.” Security researchers will use that sandbox as part of a competition taking place at the annual DEF CON hacking conference in Las Vegas later this year. Teams will attempt to infiltrate it all in the service of identifying vulnerabilities in satellites to improve cybersecurity in space.

A collaboration between The Aerospace Corporation, the Air Force Research Laboratory and U.S. Space Systems Command, Moonlighter represents the latest iteration of the Hack-A-Sat competition. The Air Force has hosted Hack-A-Sat since 2020 as a multi-year effort to increase collaboration with cybersecurity researchers, but the past three capture-the-flag contests have all been simulations.

This year they wanted to take the competition to a whole new level. “We wanted a vehicle where the sole purpose was to understand how to do cyber operations in space,” said Aaron Myrick, senior project engineer at The Aerospace Corporation.

Securing space systems has become more of a focus for the space industry and the Biden administration as experts are growing increasingly alarmed about new commercial off-the-shelf products with potential vulnerabilities. Just last week, experts in the field launched a worldwide effort to create voluntary technical standards through the Institute of Electrical and Electronics Engineers to better secure commercial products by design.

“We’re really trying to wrap our heads around cybersecurity operations and how do we do cyber operations on a system that is starting to have a lot more commoditized hardware and software, but it’s also extremely remote,” said Myrick. “We can’t just go up there and flip the power switch or change a hard drive … it’s quite a challenging problem.”

Earlier this year, the White House held a space cybersecurity summit with some of the biggest players. Additionally, CSC 2.0 —a continuation of the congressional Cyberspace Solarium Commission — called for space systems to be designated as critical infrastructure.

While cyberattacks against space systems may not be common, the potential consequences for an attack was most recently seen during the start of the Russian invasion after state-backed hackers targeted U.S.-based Viasat’s satellite modems. The attack was aimed at impacting Ukrainian command and control during the start of the invasion, but also included cascading impacts that spread to thousands of German wind farms and satellite internet connections across Europe.

Myrick said the space industry understands many of the physical risks associated with space such as harsh radiation levels, but cybersecurity still presents many challenges that experts are just beginning to resolve. While simulating cyberattacks in a real-world environment will be helpful, Myrick explained, it won’t answer every question about how satellites could be affected in an attack outside the test environment.

“Moving to on-orbit actually introduces a lot of challenges, but it removes a lot of the sims you build into it,” Myrick said. For example, satellites actually spend much of their time disconnected from an operation center and are fairly automated, adding additional layers of complexity, Myrick said. Operators may simply not have full knowledge of what is impacting those space systems at particular periods of time.

Test-beds such as Hack-A-Sat allow for researchers to discover how hackers target networks in space systems they may not be familiar with, which will be mapped to a space-centric attack framework called SPARTA.

There will be limits to just how far Hack-a-Sat contestants can go. They will be able to hack at the Moonlighter’s cyber payload while in-orbit, but won’t be able to change the orbit.

“We are designing the flight software for the cyber payload to basically be able to operate the vehicle fully. So it will be able to change how the vehicle is pointed,” Myrick said. “There’s no orbit changes. That’s all pretty fixed, but where that vehicle was pointed that ability will be there.”

Myrick said that the Moonlighter has a supervisory layer that can shut off the cyber payload so if something “inevitably” goes wrong, they can “figure out what went wrong and how we can be better.”

Five teams have made to the finals at DEF CON this August to compete for the $50,000 grand prize.

The post First in space: SpaceX and NASA launch satellite that hackers will attempt to infiltrate during DEF CON appeared first on CyberScoop.

Building security into the software and networks that control complex space systems is no easy task. But the U.S. government and many other nations around the world are dedicating more resources to protecting space systems such as GPS, space-based imaging and the satellites that provide internet service around the world over concerns that one successful cyberattack could have catastrophic consequences.

Cyberattacks aimed at satellite communication systems such as Viasat, which hackers attacked at the beginning of the Ukraine war, drove home the importance of building in more security into space systems. And the attacks and intrusions are ongoing; last year the Cybersecurity and Infrastructure Security Agency found Russian hackers sniffing inside U.S. satellite networks.

“We have the unique opportunity that we can build this from scratch because of the new space era. There [aren’t] many other industries where we can do that. But in space, we’re building all the infrastructure right now, so let’s just do it right,” said Gregory Falco, a professor at Cornell University who studies the cybersecurity of space systems and chair of the Space Systems Cybersecurity Standard working group that met on Thursday. “We need to create secure-by-design specifications for different components of a space system.”

Additionally, the working group comes at a turning point for the space industry that has moved from one mainly run by government agencies and the military industrial complex to private venture capital and Silicon Valley companies such as SpaceX.

The transformation that is well underway means there is a larger market for off-the-shelf space products that introduce more cybersecurity risks, said Falco, who also noted that most equipment for space systems is produced overseas.

“We have really needed to move onto an international model because we’re not getting access to American-made products in a reasonable time frame anymore, given the amount of scale that we’re encountering in the ecosystem,” Falco said. “So that’s something that has prompted questions like: What’s inside? And nobody really knows.”

Falco continued: “The ambition is to just rule out a whole bunch of classes on security issues for future generations of space systems, not looking backwards necessarily.”

Standards set by the Institute of Electrical and Electronics Engineers, which houses the Space Systems Cybersecurity Standard working group, will be voluntary. But the international organization is widely known and the standards are often adopted by regulatory bodies, says Gunes Karabulut Kurt, an associate professor at Polytechnique Montréal and member of the group.

“IEEE standards are very widely accepted around the world, the most famous one being the internet and Wi-Fi,” says Karabulut Kurt. “What standardization does is basically helps international partners be able to use the same products.

“The standardization aspect becomes very important and especially for security because these devices — I’m mostly talking about communication systems perspective — become more and more capable and, of course … attackers are becoming more and more capable,” she said.

Currently, some guidelines and standards exist for space systems such as those developed by the National Institute of Standards and Technology. But critics have said those standards aren’t specific enough. In a paper calling for space systems technical standards signed by more than 40 researchers last October, including individuals from multiple U.S. and international government agencies, noted that NIST is “still currently aimed at providing general guidance, not tailored recommendations for modular spacecraft.”

Similarly, space policy directive 5 issued under the Trump administration offers generic cyber risk management guidance but again nothing specific or tailored. Other regulatory bodies like NASA’s Space Asset Protection Standard and Japan’s Guidelines on Cybersecurity Measures for Commercial Space Systems similarly don’t cover the full gamut of cyber defenses.

“We need to get down to the nuts and bolts of actually providing people technical best practice guidance on how to protect your system,” said Brandon Bailey, senior project leader for the Cyber Assessments and Research Department at the Aerospace Corporation.

“The devils in the details on what you actually need to do about it. That’s where there’s a struggle, because historically people who build space systems that are not cyber professionals, right, they’re space people,” Bailey said. “Just like you saw this in industrial control systems in the last 20 years, where you have those the industrial control as the engineers, building these cyber physical systems, but they never were trained and educated on cyber threats and TPPs.”

What the working group and industry needs are more cybersecurity professionals participating, said Falco from Cornell.

“We need cyber folks at the table,” he said. “And we need we need space people at the table. We also need the policy folks at the table too, because we need someone to ultimately inform the future policy that’s written that will help people to comply with the standard, right? So we need all walks of life engaged in this process from all over the world.”

Correction June 1, 2023: This article has been updated to correct the affiliation and role of Gregory Falco.

The post Growing hacking threat to satellite systems compels global push to secure outer space appeared first on CyberScoop.

Every day, we click links we shouldn’t, download attachments we should avoid and fall for scams that all too often are obvious in hindsight. Overwhelmed by information, apps and devices — along with our increasingly short attention spans — we are our own worst enemies in cyberspace. 

The natural human weaknesses that make defending the open internet so difficult are well understood and plenty of companies and organizations work to make the average person behind the keyboard better at digital self-defense. But what cybersecurity researchers haven’t focused much attention on until now are the psychological weaknesses of attackers. What are their deficiencies, habits or other patterns of behavior that can be used against them? What mistakes do they typically make? And how can those traits be used to stop them?

A new project at the Intelligence Advanced Research Projects Activity — the U.S. intelligence community’s moonshot research division — is trying to better understand hackers’ psychology, discover their blind spots and build software that exploits these deficiencies to improve computer security. 

“When you look at how attackers gain access, they often take advantage of human limitations and errors, but our defenses don’t do that,” Kimberly Ferguson-Walter, the IARPA program manager overseeing the initiative, told CyberScoop. By finding attackers’ psychological weaknesses, the program is “flipping the table to make the human factor the weakest link in cyberattacks,” she said.

Dubbed Reimagining Security with Cyberpsychology-Informed Network Defenses or “ReSCIND,” the IARPA initiative is an open competition inviting expert teams to submit proposals for how they would study hackers’ psychological weaknesses and then build software exploiting them. By funding the most promising proposals, IARPA hopes to push the envelope on how computers are defended. 

The project asks participants to carry out human-subject research and recruit computer security experts to determine what types of “cognitive vulnerabilities” might be exploited by defenders. By recruiting expert hackers and studying how they behave when attacking computer systems, the project aims to discover — and potentially weaponize — their weaknesses.

Ferguson-Walter describes “cognitive vulnerabilities” as an umbrella term for any sort of human limitation. The vulnerabilities a cyber psychological defense system might exploit include the sunk cost fallacy, which is the tendency of a person to continue investing resources in an effort when the more rational choice would be to abandon it and pursue another. In a network defense context, this might involve tricking an attacker into breaking into a network via a frustrating, time-consuming technique.

Another example Ferguson-Walter cites to explain what weaknesses might be exploited is the Peltzman Effect, which refers to the tendency of people to engage in more risky behavior when they feel safe. The canonical example of the Peltzman Effect is when mandatory seatbelt laws were put into effect and drivers engaged in more risky driving, thinking that they were safe wearing a seat belt. The effect might be used against attackers in cyberspace by creating the perception that a network is poorly defended, inducing a sense of safety and resulting in less well-concealed attack. 

Just as the tools of behavioral science have been used to revolutionize the fields of economics, advertising and political campaigning, ReSCIND and the broader field of cyber psychology aims to take insights about human behavior to improve outcomes. By placing the behavior of human beings at the center of designing a defensive system, cyber psychology aims to create systems that address human frailties. 

“Tactics and techniques used in advertising or political campaigning or e-commerce or online gaming or social media take advantage of human psychological vulnerability,” says Mary Aiken, a cyber psychologist and a strategic adviser to Paladin Capital Group, a cybersecurity-focused venture capital firm. Initiatives such as ReSCIND “apply traditional cognitive behavioral science research — now mediated by cyber psychological findings and learnings — and apply that to cybersecurity to improve defensive capabilities,” Aiken said.

Cybersecurity companies are using some tools of cyber psychology in designing defenses but have not done enough to integrate the study of human behavior, said Ferguson-Walter. Tools such as honeypots or decoy systems on networks might be thought of as turning the psychological weaknesses of attackers against them, but defenders could do more to exploit these weaknesses.

Among the central challenges facing ReSCIND participants is figuring out what weaknesses a given attacker might be susceptible — all while operating in a dynamic environment. To address this, the project proposal asks participants to come up with what it conceives of as “bias sensors” and “bias triggers,” which, together, identify a vulnerability and then induce a situation in which an attacker’s cognitive vulnerabilities are exploited. 

Exactly how that system will function and whether it can be integrated into a software solution is far from clear, but Ferguson-Walter says it’s important for IARPA to pursue these types of high-risk, high-reward projects that in the absence of government funding are unlikely to receive support. 

And amid widespread computer vulnerabilities and only halting progress in securing online life, a new approach might yield unexpected breakthroughs. “We’ve had 50 or 60 years of cybersecurity and look where we are now: Everything is getting worse,” Aiken says. “Cybersecurity protects your data, your systems, and your networks. It does not protect what it is to be human online.” 

The post US intelligence research agency examines cyber psychology to outwit criminal hackers appeared first on CyberScoop.

The platform called Emerging THreat Open Sharing, or ETHOS, is designed to break down information gaps that occur because organizations don’t have access to the same information about the latest hacks or vulnerabilities that could affect the entire energy sector, pipeline operators or other industrial sectors.

“The majority of the threat intelligence is contained within vendor silos,” said Andrea Carcano, co-founder and chief product officer at Nozomi Networks. “We’re not looking to be disruptive from that perspective. We’re looking to elevate the game. Your intelligence will always be limited by what you can see and it doesn’t matter how big your market share is.”

The overall lack of visibility into critical networks has been a longstanding concern in the U.S. Due to this issue, the Biden administration has led multiple “sprints” to increase visibility among various critical industries. The ETHOS effort that includes well-known cybersecurity firms that operate in critical infrastructure space such as 1898 & Co., Dragos, Claroty, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable and Waterfall Security is one of the most significant industry initiatives to raise awareness across the entire sector.

“It’s a gigantic improvement of the visibility that we can have. It’s intelligence that we never had before,” Carcano said. “We can really discover if there is something going on in the country that, until today, is going to be buried inside of Nozomi alert, Dragos alert, Claroty alert.”

Marty Edwards, deputy chief technology officer for OT and IoT at Tenable, said in a statement that one large challenge within OT is knowing which threats actually pose a threat to an organization.

“ETHOS is a vendor agnostic initiative that aspires to cut through the noise by automating the discovery and dissemination of real-world threat information from its industry members,” said Edwards. “The goal will be to provide the entire community with more insights into threats targeting new and known vulnerabilities in OT systems.”

The idea has the approval of the Cybersecurity and Infrastructure Security Agency. Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a statement that the “scale of threats facing critical infrastructure operators, and in particular Operational Technology networks, requires an approach to information sharing grounded in collaboration and interoperability.”

Goldstein continued: “CISA is eager to continue support for community-driven efforts to reduce silos that impede timely and effective information sharing. We look forward to collaborating with such communities, including the ETHOS community, to improve early warning and response to potential cyber threats, while appropriately protecting sensitive information about our nation’s critical infrastructure community.”

The platform is supposed to work like this: owners and operators working with one of the participating vendors can choose to share anonymized intelligence that might provide an early alert about a large-scale attack, explained Carcano. The idea is to have the development of the community and software portal open-sourced while the intelligence will only be accessible within each ETHOS server.

The ETHOS feed won’t be public. Instead, only those signed up for each ETHOS instance will be able to see and share intelligence — right now that intelligence is typically an indicator of compromise like IP addresses, domains, and hashes. The initial beta is only going to be one server and general membership applications start in June.

Carcano gave the example of multiple energy companies that are seeing strange behavior but with little indication of an active attack. Within industrial sites, a malicious hacker can take months to learn the specific environment they’re targeting once infiltrated.

“The most sophisticated OT weapon that we see today, they didn’t act right away. It was not ransomware right?” Carcano said. “In the OT, there is more sophistication, there is more time that is required to be able to create damage or exfiltrate data.”

Carcano said that he hopes that one day utilities and other critical companies using ETHOS can choose to send information to CISA or to the Energy Department. Or, Carcano said, a utility can choose to alert CISA that they’re seeing suspicious activity directly through ETHOS and that can go to an international ETHOS server. “I like to dream big,” he said.

The post Industrial security vendors partner to share intelligence about critical infrastructure threats appeared first on CyberScoop.

Those are bold claims. But the people behind the project include Michael Stonebraker, a serial tech entrepreneur and computer scientist at the Massachusetts Institute of Technology whose groundbreaking work on database systems earned him the Turing honor in 2015. He’s teaming up with Matei Zaharia, an associate professor at Stanford University and creator of the Apache Spark project, and Jeremy Kepnew, head of the MIT Lincoln Laboratory Supercomputing Center.

“It’s a total new paradigm,” said Michael Coden, associate director of cybersecurity at MIT Sloan School of Management, who took a part-time position at Boston Consulting Group as senior adviser in order to help lead the database-oriented operating system, or “DBOS” for short.

“The revolution here is turning the operating system upside down,” he said. “You get detection internally without external cybersecurity tools or analytics engines more quickly and you can roll back to the pre-attack state for business continuity within minutes or seconds without having to go and do restores. It’s kind of like revolutionary.”

Stonebraker and Coden plan on demonstrating the open-source operating systems during the RSA Conference, the annual cybersecurity gathering San Francisco, next week and show in real time how it will bounce back from a simulated ransomware attack.

The system is structured around databases that save and track all events and changes occurring within the OS. That should mean that should mean recovering from ransomware simply means rolling back a machine to the previously safe state within minutes. With a file-based system, users still have to make backups of that data which, if not set up correctly, can also be infected with malicious malware. Additionally, recovery using those backups take up additional time, as well. Coden said that recovery can occur within minutes using the new systems.

The benefits are largely borne out of the fundamental difference between DBOS and Linux. Linux operates in a way where, essentially, everything on the system is a file. A folder is actually a file (as are the files in the folder) and even the mouse and keyboard has a file path. Although there are exceptions to the “everything is a file” idea within Unix, generally, that is the idea.

However, instead of everything being a file, the new OS operates from an “everything is a table” perspective. That’s because everything about the current session is kept on a database and this means that all changes to the systems are recorded, which comes in handy when a ransomware attack locks access to important data.

“We have a table where we do change capture on everything that happens to every data element in the system so we have a complete list of every change that’s occurred,” Coden said. The table structure also means that the database management system logs are all stored on a single file, in sequence with the same formatting, so searching for logs following a cyberattack or even just suspicious activity is a basic SQL query, Coden explained. “You can do anomaly detection blazingly fast.”

Using the data analytics program Splunk as an example, Coden said that the timetable to detect anomalies went from “several hours” to “hundreds of milliseconds.” “So higher accuracy, much quicker detection built into the operating system. No seven figure license for an external analytics engine.”

“The fundamental concept was we looked at a typical complicated application in a Linux Kubernetes environment and saw that the operating system was managing a million times more state variables than it was designed to,” Coden said. “[Linux] was invented about 40 years ago. It was to run on a single CPU … with maybe 128 kilobytes of memory.”

But while DBOS system boasts some impressive built-in cybersecurity protections, that wasn’t the initial goal. Stonebraker and Zaharia began working more than two years ago on the database-centered OS because they were annoyed at how slow and inefficient Linux systems moved once it reaches a high enough number of programs and processes running. But the cybersecurity benefits is what attracted Coden to the project.

“I said wait a second, here you have a much smaller surface area to begin with — this is no Linux no Kubernetes starting with relational database built on a brand new kernel,” he said. “Because being a high availability database, it has the ability to rollback from any state to a previous state. It can detect an attack in hundreds of milliseconds, block the attack, and then you can roll back to the pre-attack state for business continuity in a matter of seconds. You don’t have to go and get backups from yesterday or last week.”

There is still a ways to go. The operating system is currently using a micro-kernel from Linux so it’s not complete just yet and there isn’t a typical desktop experience for casual users. So far, development of the OS has been primarily led by around 20 researchers from MIT and Stanford with people such as Stonebraker, Zaharia and Kepnew. But they also want people to contribute to the open-source project, Coden said. “We want to get everybody to go to the GitHub site and download the software and try it. We want to get feedback from the community.”

Correction April 21, 2023: This article has been updated to correct Michael Coden’s position at Boston Consulting Group.

The post MIT and Stanford researchers develop operating system with one major promise: Resisting ransomware appeared first on CyberScoop.

The firm that indexes internet-facing devices found that more than 8,000 servers hosting sensitive information such as log-in credentials, database backups and configuration files are not property configured.

The data in the company’s their latest State of the Internet report released Wednesday is yet another troubling sign that many organizations are still not taking basic security precautions to safeguard their own data — as well as their customers’ information.

“In the past decade, some of the most significant data breaches were not caused by advanced nation-state-developed zero-day attacks,” the report noted. “Rather, many of them occurred due to human error, where a mistake led to the exposure of large amounts of data on a server without any security measures in place, such as authentication, authorization, or filtering.”

The firm found more than 18,000 comma separated value files and more than 2,000 structured query language database files — which typically hold important data such as financial documents or sensitive intellectual property — all with zero authentication requirements. While the firm did not look at the contents of those files, “their mere existence on a publicly accessible web server should be enough to raise alarms,” the firm noted.

Censys pointed to a data leak of more than 1.8 million Texas residents personal information last year and one of many examples of the long-standing issue.

Censys also found that there are thousands of end-of-life internet-facing devices with widely known vulnerabilities. Hikvision, a Chinese video surveillance company that was recently banned by the Federal Communications Commission due to national security threats, is one of the top services found with “potentially tens of thousands” of devices with a widely known vulnerability.

“The often unglamorous work of asset, vulnerability, and patch management is critical for helping reduce an organization’s attack surface. The security issues we’ve explored in this report aren’t a result of zero days or other advanced exploits, but rather misconfiguration and exposure issues that are likely a result of simple mistakes or configuration errors,” Censys noted.

The post Misconfiguration leaves thousands of servers vulnerable to attack, researchers find appeared first on CyberScoop.

While there has been great progress in supporting vulnerability disclosure and security research, the global community of white-hat hackers lacks a coordinated body to lobby on their behalf to address both forthcoming rules and ones already on the books that put them at risk, said Ilona Cohen, chief legal and chief policy council at HackerOne and member of the council.

“There hasn’t really been an advocacy group focused primarily on hackers,” Cohen said. “There are advocacy groups for reptile owners but not hackers, so that seems like a miss — and we’re here to remedy that.”

One of the council’s first priorities is advocating for changes to the European Union’s Cyber Resilience Act, which would require companies to report vulnerabilities within 24 hours. Council members expressed concerns that the current version of the law doesn’t make a distinction between good faith researchers and criminals. Additionally, it doesn’t require that the vulnerability be patched before being shared.

“The concern is you end up with a rolling list of software and vulnerabilities that may not be mitigated shared with perhaps dozens of government agencies,” said Harley Geiger, a cybersecurity policy counsel at Venable, noting that doing so could be dangerous for intelligence reasons if they are leaked to adversaries.

Cohen says that some members of the council have already met with representatives from the European Union, and the council has drafted a letter with its positions. Members also plan to meet with U.S. lawmakers at the RSA Conference later this month.

The council’s founding members include Bugcrowd, Google, Intel, Intigriti and Luta Security. In addition to creating favorable legal conditions for security researchers, the council will work to help organizations strengthen their vulnerability disclosure programs.

Already, the effort appears to have gained the support of some within the U.S. government.

Eric Goldstein, the executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said at the launch event on Thursday that the government needs to “shift the balance of the scales to make sure a good faith actor finds a vulnerability before a bad faith actor” and that today “the deck is stacked in the opposite direction.”

Goldstein, who called good-faith hackers “heroes,” pointed to the Justice Department’s directive last year that such security researchers should not be charged under federal hacking law as well as CISA’s coordinated vulnerability disclosure program as evidence of the government’s improving relationship with security researchers but noted that more needs to be done.

Separately, a new legal defense fund for security researchers launched on Wednesday. The non-profit Security Research Legal Defense Fund will provide financial support for security researchers facing legal threats. The fund will be overseen by a board of directors that includes Jim Dempsey at the University of California at Berkeley, Kurt Opsahl, the associate general counsel at the Filecoin Foundation, and Amie Stepanovich, the vice president of the Future of Privacy Forum.

Google will provide seed funding for the defense fund, which will be run independently of its funders. The board will take into consideration financial need as well as the nature of the individual’s actions in determining which cases to support.

The United States has made strides toward largely decriminalizing good-faith security research in recent years. Last year, the Justice Department announced a new policy directing that good-faith security researchers should not be charged under the Computer Fraud and Abuse Act, but that hasn’t stopped private companies from using legal threats to stymie security research.

Companies threatening to sue good-faith security researchers and journalists remains a common occurrence and something that experts say can have a chilling effect on much-needed vulnerability research. States have also threatened researchers in recent years and tend to have broader hacking laws.

“If they do get the threatening letter, if they do face potential criminal prosecution, someone needs to be there to help them,” Opsahl said.

Examples of cases that the board might take on include the Missouri journalist threatened last year by the state’s governor for publishing an article about a vulnerability in a state website’s source code and students seeking to present research on public vulnerabilities. Initially, the fund will focus on the United States, but its charter allows it to support researchers abroad as well.

The group is encouraging researchers who can’t collect bounties due to their jobs to donate them to the fund. Google will quadruple-match any funds donated through its bug bounty program. The fund hopes that additional companies and that individuals will provide funding over time.

The post New hacker advocacy group seeks to protect work of security researchers appeared first on CyberScoop.

But as the war has dragged on, disruptions to Ukraine’s internet have grown increasingly low tech. With the Russian war effort faltering, the Kremlin has stepped up its missile and artillery attacks on Ukraine’s energy infrastructure, and that has resulted in a series of localized internet outages, according to findings released by the security company Cloudflare on Wednesday. 

Beginning in the fourth quarter of 2022 and into the first quarter of 2023, a series of Russian strikes on local energy infrastructure caused internet outages in cities ranging from Odessa to Kharkiv. On Jan. 27, Russian airstrikes targeted Odessa’s internet infrastructure, resulting in a partial outage that lasted some 18 hours. On March 9, Russian attacks on Ukrainian energy and distribution networks caused disruptions in internet access in Kharkiv that lasted nearly two days. 

The shift in Russian targeting to more aggressively focus on energy infrastructure has had cascading effects on Ukraine’s internet access. “The power goes down in a given area and internet access obviously suffers,” said David Belson, Cloudflare’s head of data insight. When the power gets knocked out, that can cause cell transmission towers to no longer function, knocking out the internet in unpredictable ways.  

“The network engineers there are really doing heroic work just keeping facilities online,” he said.

There is nothing to indicate that Russian forces are striking electrical infrastructure with the goal of disrupting the internet, but Cloudflare’s data shows how the Kremlin’s shift toward more aggressive targeting of civilian infrastructure is impacting ordinary Ukrainian’s access to information. 

Internet access has been a key in Ukraine’s attempt to fend off the Russian invasion. The Russian invasion forced key Ukrainian state services to move online, and the internet has been a primary method for the government to spread information about what is happening in the country, for President Volodymyr Zelensky to broadcast his nightly address and to galvanize domestic and international support.

In areas controlled by Russian forces, occupying powers have re-routed key parts of Ukraine’s internet infrastructure to make it more easily surveilled.

The post Russian attacks on Ukrainian infrastructure cause internet outages, cutting off a valuable wartime tool appeared first on CyberScoop.

Groups and hacktivists such as Team OneFist and GhostSec have all alleged to have infected operational technology networks in recent months in hopes that their claims of destructive hacks will get the public’s attention along with messages either for or against the war.

And while the majority of the hacks may be exaggerations or fabrications, Mandiant notes, the increasing interest from non-state actors in OT networks is troubling.

“Despite the inaccuracy of most claims, when hacktivist activity targeting OT becomes commonplace, the likelihood of actual and even substantial OT incidents increases,” according to Mandiant, which is now part of Google Cloud. “The risk is higher for organizations that are perceptibly associated with political events or social disputes based on geographic location, nationality, language, or industry of relevance.”

As Mandiant points out, hacktivists have tended to go after easier targets: website defacements, denial of service attacks or hack-and-leak operations. “Historical hacktivist activity has largely focused on simpler attacks that are intended to get the attention of broad audiences, such as website compromises or denial of service attacks.”

But the Ukraine war has shifted that focus for many, said Daniel Zafra, Mandiant analysis manager at Google Cloud. Hacktivist groups are seeking the attention that comes from these types of attacks so their messages get more attention online and the groups themselves may appear to have more technical abilities than they actually possess. Zafra said the war attracted hackers looking to support either side, but also warned that state-backed hackers could pose as hacktivists in order to disrupt OT while having plausible deniability.

Zafra said Mandiant began tracking hacktivists’ claims of having a physical impact through OT attacks around 2021. In 2022, the firm saw a marked increase in such declarations and the growing use of Telegram and Twitter to boast about accomplishments.

One of the more active groups last year was Team OneFist, also called Joint Cyber Center, which claims to be associated with the IT Army of Ukraine. It purported to have to have attacked Russian power plants, airports, a paper mill and other industrial targets all in support of Ukraine.

It’s not hard to make those claims, says Zafra. One of the more common methods appears to be posting a screenshot of a human-machine interface while declaring to have hacked an OT device on an industrial organization.

What is hard, however, is verifying these claims. Mandiant noted that it often could not confirm or debunk the assertions with the limited data presented. However, that does not stop the assertions — and the political message — from being spread online or or receiving media attention.

Team OneFist has been caught exaggerating before. In June 2022, the group said that it disabled a cellular router supporting OT in Russia, causing an outage at a nearby power plant. However, local media reports said that the outage was at a different power plant nearly 400 miles away.

GhostSec, which has links to the hacktivist collective Anonymous, is one such group that was not borne out of the Russian invasion of Ukraine. In January, it claimed to have been the first group to have conducted a ransomware attack on a remote terminal unit, which is a device that connects to industrial valves and relays to provide controls and status updates. The claim was quickly debunked as overstated online by industrial cybersecurity experts, but even the claims show an increased interest and better understanding of some of the terminology used inside critical infrastructure — a marked difference from years past experts note.

Zafra noted that while the Ukraine war may be the biggest driver for hacktivists focusing on OT in the past year, that doesn’t mean that the target is going to go away anytime soon. “The rate at which it’s growing might slow down because there’s not that immediate need, but I do think that it’s going to continue happening.”

The post Fact or fiction, hacktivists’ claims of industrial sabotage in Russia or Ukraine get attention online appeared first on CyberScoop.