Because the security vulnerability is under active exploit, Google isn't releasing full details of the flaw while users could remain vulnerable.

A Google Chrome zero-day vulnerability is under active exploit in the wild, and while details are scarce, users are urged to update their Windows, Mac, and Linux systems to the latest version directly.

The fix for the high-severity bug, being tracked as CVE-2023-2033, is being pushed out through the stable desktop and extended stable channels, and will continue to roll out over the next weeks, Google explained in its April 14 cybersecurity advisory.

The flaw was discovered by Clément Lecigne of Google's Threat Analysis Group on April 11, the company said.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google added. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Issues Emergency Chrome Update for Zero-Day Bug

**Cyber Florida at the University of South Florida -** Tampa will host the national championship round of the NCAE Cyber Games on April 22 on the University of South Florida-Tampa campus. The event will be live-streamed via Twitch at https://www.twitch.tv/ncaecybergames from 1:00 to 4:00 pm on April 22 and feature 12 regional winning teams competing for the national championship. The competing teams will represent Liberty University, Syracuse University, Brigham Young University, Prescott - Embry-Riddle Aeronautical University, University of Tulsa, Daytona Beach - Embry-Riddle Aeronautical University, University of West Florida, Metro State University, Eastern Washington University, Cal Poly Pomona, University of Florida, and defending National Champions Illinois Institute of Technology.

Funded by a grant from the National Security Agency’s National Center of Academic Excellence in Cybersecurity (NCAE-C) program, NCAE Cyber Games is a collegiate cyber competition for first-time competitors, where they can learn about cyber competitions in an environment focused on teamwork, building confidence, and growing their skills. Cyber competitions provide valuable resume experience but can be intimidating to newcomers. NCAE Cyber Games provides an on-ramp for new competitors to learn and prepare for larger competitions such as the National Cyber Collegiate Defense Competition. The program also helps NCAE-C-designated institutions recruit new students for their cyber competition teams.

Now in its second year, the program has grown from about 500 competitors from 50 colleges and universities in Year 1 to 700+ competitors from more than 80 colleges and universities out of approximately 350 NCAE-C institutions.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NSA's National Centers for Academic Excellence (NCAE) Cyber Games to Hold National Finals on April 22

Learning how to break the latest AI models is important, but security researchers should also question whether there are enough guardrails to prevent the technology's misuse.

Samsung has banned some uses of ChatGPT, Ford Motor and Volkswagen shuttered their self-driving car firm, and a letter calling for a pause in training more powerful AI systems has garnered more than 25,000 signatures.

Overreactions? No, says Davi Ottenheimer, the vice president of trust and digital ethics at Inrupt, a startup creating digital identity and security solutions. A pause is needed to develop better approaches to testing, not just of the security, but the safety of machine-learning and artificial-intelligence models. These include ChatGPT, self-driving vehicles, and autonomous drones.

A steady stream of security researchers and technologists have already found ways to circumvent protections placed on AI systems, but society needs to have broader discussions about how to test and improve safety, say Ottenheimer, who will give a presentation on the topic at the RSA Conference in San Francisco next week.

"Especially from the context of a pentest, I'm supposed to go in and basically assess \[an AI system\] for safety, but what's missing is that we're not making a decision about whether it is safe, whether the application is acceptable," he says. A server's security, for example, does not speak to whether the system is safe "if you are running the server in a way that's unacceptable ... and we need to get to that level with AI."

With the introduction of ChatGPT in November, interest in artificial intelligence and machine learning — already surging due to applications in the data science field — took off. The eerie capabilities of the large language model (LLM) to seemingly understand human language and to synthesize coherent responses has led to a surge in proposed applications based on the technology and other forms of AI. ChatGPT has already been used to triage security incidents,  and a more advanced LLM forms the core of Microsoft's Security Copilot.

Yet the generative pre-trained transformer (GPT) is just one form of AI model, and all of them can have significant problems with bias, false positives, and other issues.

**Exploiting Robots Is Easy**

These shortcomings, and a general lack of explainability in AI models, means that any model can be attacked in ways that the creators may not have imagined, Inrupt's Ottenheimer will say in his RSA Conference presentation, Pentesting AI: How to Hunt a Robot. If AI models are quickly adopted without adequate study, they may make their way into critical application, where they could be attacked or fail spectacularly, he says.

"It's actually super easy to make them fail," Ottenheimer says. "Most people are looking at it as, 'Can I fool it in this one area?' but that's not the discussion you should be having, because — oh my god — you're using this technology in a totally inappropriate way."

Recent research demonstrates how simple attacking AI can be. Asking ChatGPT to mimic specific people, also known as assigning it a persona, can result in the AI model breaking its guardrails, according to a team of researchers from the Allen Institute for AI, the Georgia Institute of Technology, and Princeton University. The researchers had ChatGPT assume a variety of personas, and even a general persona — such as a "bad person" — can result in the large language model using toxic language, the team stated in a paper published on April 11.

With a plethora of products already shipping using ChatGPT, the researchers warn that it can unexpectedly result in harmful behavior.

"We hope that our findings inspire the broader AI community to rethink the efficacy of current safety guardrails and develop better techniques that lead to robust, safe, and trustworthy AI systems," the researchers stated in their paper.

**Time to Turn Off the Tech & Do a Reset**

Ottenheimer breaks down AI tests into six categories based on the traditional CIA triad: Confidentiality, integrity, and availability. False positives, for example, can lead to significant costs for society, such as emergency responders who are overtaxed because skiers' Apple watches are dialing 9-1-1 due to jarring runs down slopes. The academic research on using personas to jailbreak ChatGPT's content protections is similar to other research, which created a persona DAN (Do Anything Now) that allowed users to bypass safeguards.

Companies and researchers need to find ways to do a hard reset of such systems, to purge any toxic inputs, but at the same time teach the AI to take such actions in the future.

"You actually have to reset it, such that the harms don't happen again, or you have to reset it in a way that the harms can be undone," Ottenheimer says.

Finally, the threat to privacy is a significant threat as well as large language models use a vast data set, typically copied from the Internet, without the permissions of the publishers of that data. Italy has given OpenAI until the end of April to find ways to protect people's data and allow correction or deletion. And the efforts may grow as the European Data Protection Board (EDPB) has launched a task force dedicated to studying the issue and fostering cooperation.

Pen Testers Need to Hack AI, but Also Question Its Existence

Communicating cyber-risk upward to the C-suite and board takes simplification and a better understanding of the audience.

For at least a decade now, career-minded security leaders have well understood the importance of effective communication with the board and CEO. CISOs know they must gain the buy-in of these decision-makers to successfully instill a security-minded culture at their organizations — not to mention to greenlight enough funds for an effective cybersecurity budget.

The problem is that most CISOs today still can't turn that awareness into action. While CISOs are communicating with the board and the C-suite more than ever, they're still struggling to craft the right narratives that help them communicate risk to the board and drive meaningful collaboration between the security team and the rest of the business.

Security experts believe that CISOs need to rethink the content and the context of their messages in order to more reliably hit the mark with their executive counterparts. And most importantly, says Andy Ellis, advisory CISO for Orca Security, they need to tighten up their language and their goals for each interaction.

"CISOs need to think, 'What is the least amount of information we need to give to stimulate action?'" says Ellis, who is due to present at RSA next week on this topic and whose new book, _1% Leadership_, will be released this week. "Literally, I have a chapter in my book titled, 'Make the Smallest Argument Necessary to Spur Action.'"

The good news for CISOs today compared with those of yesteryear is that the channels of communication between them, the board, and the C-suite are increasingly opening up. The lesson is that it is going to take a whole lot more clear, simple communication for CISOs to net better results from their interactions with their boards.

**CISO Board Reports More Frequent but Ineffective**

The good news for today's CISOs is that the channels of communication between CISOs, the board, and the C-suite are increasingly opening up. According to "The State of CISO Influence 2023" survey, conducted by Dark Reading on behalf of Coalfire, 28% of CISOs present monthly updates to the board — up 10 percentage points in just the past year. Additionally, more than half of CISOs said they report to the board on at least a quarterly basis.

Unfortunately, for all of the increases in frequency of communication between CISOs and the executive suite, that upward communication remains largely ineffective.

The realistic CISOs reading the room sense that they're losing their audience. In the recent "Voice of the CISO" report from Proofpoint, security leaders in large organizations reported a huge drop in board support over the last year. Just 51% say they have the support of their board, compared with 71% who said the same last year.

Meanwhile, the directors are confirming that this perception isn't just in the CISOs' heads. A study from PwC this month shows that less than a third of directors are completely satisfied with the information they're getting about cybersecurity today.

"We have an image crisis that is only getting worse, and we need to rebrand ourselves," says Joseph Carson, chief security scientist and advisory CISO at Delinea. He explains that the CISO has to stop focusing on cybersecurity minutiae — things like attack metrics and precise technical details — and start measuring themselves and communicating about business outcomes. "That is the way to win support from the board," he says.

One of the biggest traps that CISOs fall into when communicating with the board is "overloading them with technical jargon," Carson adds. One recent study from the RSAC Executive Security Action Forum (ESAF), a community of Fortune 1000 CISOs, shows that over half of CISOs — 58% — admit that they struggle to communicate technical language to senior leadership in a way they can understand.

The fact that they are even endeavoring to explain that language in the first place indicates how much the content of their updates needs to change to facilitate more fruitful board discussions.

**Taking the Fairy Tale Approach**

Kurt Manske, managing principal at Coalfire, says he frequently sees CISOs struggle with understanding which key points, facts, or figures to share with their boards.

"A key problem for more technical-oriented CISOs is when and how to pivot during the board presentation and discussion from 'educating' to 'communicating,'" he says.

Sometimes simply mentioning one offhand technical detail can lead a CISO down an educational rabbit hole that completely distracts the board from the meat of what a CISO was really trying to communicate. Helping CISOs avoid these kinds of conversation killers is the whole drive behind Ellis' upcoming talk at RSA, titled, "Telling Fairy Tales to the Board: Turn Attack Graphs into Business Stories."

In his position at Orca Security, Ellis has helped the firm develop graph-based visualization maps that show potential attack paths within an organization's infrastructure. As valuable as that tool can be in communicating a potential attack story to security teams, he says he'd never show them to the board. His idea for his RSA session came up when he shared that with his co-speaker and technical counterpart, Oren Sade, chief of staff at Orca, who was aghast that Ellis thought the visualization's narrative doesn't work for the board.

"He was like, 'Why? This is great. It's a simple story. Andy, you helped us write this story,'" Ellis says. "And I'm like, 'Yeah, but the moment that I say Spring4Shell — or whatever the vulnerability that's being exploited — now I've got to spend 45 minutes explaining what Spring4Shell is because half of the board members think they're forgetting context.'"

Ellis' discussion will translate five different technical "stories" told by various theoretical attack paths into a slide deck and narrative line that actually works for board members. But before he does that, he will frame it with a fairy tale to help audience members understand what he's trying to do.

"I will literally be on stage, and I'll read the first four minutes of _Little Red Riding Hood_, and then we'll actually build an attack path and say, 'Here is the attack the wolf conducted against Little Red and all of the vulnerabilities that get exploited,'" he says. "And then we say, 'But notice that if you tried to tell it that way, nobody cares.'"

As Ellis explains, in the fairy tale the story is not actually about the wolf eating Red Riding Hood. The story is a cautionary tale for kids that is conveying messages of avoiding hazards like "don't talk to strangers" and "don't leave the trail."

Similarly, the stories for the board are driving toward a message of avoiding unnecessary losses, using security professional expertise in identifying the hazards that make that more likely to happen.

"A system having a vulnerability is not a hazard. The hazard is, 'We don't patch our systems enough,'" Ellis explains. "What's interesting is what happens at the end, right? Customer data gets stolen, ransomware takes over, whatever it is. You always start by talking about the unacceptable outcomes."

How CISOs Can Craft Better Narratives for the Board

Thousands of restaurants impacted by what Aloha PoS parent company NCR says was a ransomware attack on one of its data centers.

After days of outages, NCR Corp. has confirmed that its Aloha point-of-sale (PoS) software platform, used by thousands of restaurants across the US, was taken down by a ransomware attack on one of its data centers.

The BlackCat ransomware group has claimed responsibility for the Aloha POS cyberattack.

"Please rest assured that we have a clear path to recovery and we are executing against it," NCR's disclosure said. "We are working around the clock to restore full service for our customers."

Service disruptions for Aloha POS users began days ago, with the first update put out by NCR on April 12. At the time, it simply said the company was "investigating" the issue. In the absence of information, an Aloha POS subreddit has been filled with users sharing tips, workarounds, and any new information.

The Aloha PoS website lists a raft of restaurants, including Mad Mex and Chipotle, among its customers.

"BlackCat/ALPHV claimed responsibility for the attack and stated that they didn't steal any data but did take credentials that they are using as leverage to receive a ransom payment," says Timothy Morris, chief security adviser at Tanium. "It isn’t known how the attacker got initial access."

Lior Yaari, CEO and co-founder of Grip Security, noted in an emailed statement that the interest in credentials is a wake-up call for other organizations.

"Because in a distributed environment, identity is the ultimate control point and credentials paired with identities is like getting the golden ticket to everything else," he explained. "The sensitivity and criticality of credentials is not a big surprise for attackers and cybercriminals, as credentials have remained the top target for attackers for more than a decade. The difference here is, now, organizations have increased their level of concern for credential, making them just as attractive for ransomware gangs as intellectual property."

Aloha PoS Restaurant Software Downed by Ransomware Attack

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Easter is over, and now it's time for the bunny to head back to the office. What do you think our fluffy friend is saying? Come up with a clever cybersecurity-related caption, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the May 10, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading April Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Congratulations to Alan Ortiz for his clever caption, below, in response to our March contest, "It's E-Live!" Mary Shelley, Mel Brooks, and Gene Wilder would all be proud! And thank you, readers, for all the great submissions!     

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Lucky Charm

A little preconference reconnoitering of upcoming seminars, keynotes, and track sessions makes plotting your days easier. Here's one attendee's list.

San Francisco's Moscone Center will soon be overrun by cybersecurity's biggest conference of the year. Next week, RSAC 2023 will bring together the best and brightest cybersecurity leaders and innovators from around the world to partake in a packed schedule of introductions, meetings, and cocktail parties — not to mention a laundry list of panel sessions led by the biggest names in the industry covering just about every topic in the field.

It can be difficult to decide which sessions to pick out of RSAC 2023's list of 500-plus options. This is why it's important to plan in advance and select sessions strategically.

**My Top Five Picks**

As a founder of an early-stage data security company, I've focused my selection on sessions that will be most useful to my company-building journey. This includes those that might help hone my value propositions and product direction as well as any that could keep me ahead of my field's top trends. After careful consideration, here are my top five picks.

****Achieving Privacy and Data Protection Through Careful Design****

Monday, April 24

**Why you should attend:** This session promises an interactive discussion about privacy-by-design and other solutions that both prevent privacy harm and deliver business value. This underscores a larger trend in enterprise need for security and protection solutions to offer at least one business-related value proposition beyond ROI for risk aversion. I'm hoping that this session will provide new insight into how enterprise data security postures and business needs converge.

****The Perfect Storm: Preparing Today for the Future State of Cloud Security****

Monday, April 24

**Why you should attend:** The CSA Summit is one of RSA's largest events, taking place as a series of sessions over the course of one day. Exploring the themes of resilience, compliance, state of the art, and confidential computing, the summit will cover all angles of the cloud's increasing mission-critical role in keeping businesses productive. Keen on staying ahead of the market, the panel I'm particularly interested in will predict the future threat landscape of cloud security and corresponding enterprise needs. Given that cloud data stores house the majority of today's enterprise data, this is a session data security entrepreneurs can't miss.

****Cyber Defense Matrix Learning Lab****

Thursday, April 27

**Why you should attend:** This session will feature an overview of the Cyber Defense Matrix (CDM) by its creators. The CDM was developed to help cybersecurity leaders better contextualize and organize their security programs. Understanding it can provide direct insight into how cybersecurity customers think as well as the decision-making processes they use. I recommend this session to anyone looking to build a product message that will resonate with their target audience.

****The Path Forward for the United States' Data Security and Privacy Gap****

Wednesday, April 26

**Why you should attend:** In another interactive discussion, attendees will have the opportunity to explore how data security and privacy converge, as well as discover emerging federal compliance trends. Security and privacy are often conflated, and this can cause confusion when it comes to delegating clear risk owners. In addition to discussing updates in federal policies for each field, this session will provide insight into the latest best practice interpretations of their relationship and boundaries.

****Cybersecurity as a Strategic Asset****

Wednesday, April 26

**Why you should attend:** I recommend this session for entrepreneurs who want a look into how cybersecurity actually operates within an organization. This is key to understanding how cybersecurity responsibilities and stakeholders are delegated, as well as how cybersecurity culture forms, to design a seamless integration process for your product.

**Final Thoughts**

In truth, between all the shoulder-rubbing, I believe the audience chair of these sessions is the perfect place to seek refuge for recharging my social battery. These sessions can also be easy opportunities to meet peers who share my interests. I hope these sessions will prove useful and interesting for you, too!

Top 5 Data Security RSAC 2023 Sessions to Attend

The threat group behind the SolarWinds supply chain attacks is back with new tools for spying on officials in NATO countries and Africa.

As part of its ongoing invasion of Ukraine, Russian intelligence has once again enlisted the services of hacker group Nobelium/APT29, this time to spy on foreign ministries and diplomats from NATO-member states, as well as other targets in the European Union and Africa.

The timing also dovetails with a spate of attacks on Canadian infrastructure, also believed to be linked to Russia.

The Polish Military Counterintelligence Service and the CERT team in Poland issued an alert on April 13, along with indicators of compromise, warning potential targets of the espionage campaign about the threat. Nobelium, as the group is designated by Microsoft, also named APT29 by Mandiant, isn't new to the nation-state espionage game, the group was behind the infamous SolarWinds supply chain attack nearly three years ago.

Now, APT29 is back with a whole new set of malware tools and reported marching orders to infiltrate the diplomatic corps of countries supportive of Ukraine, the Polish military and CERT alert explained.

**APT29 Is Back With New Orders**

In every instance, the advanced persistent threat (APT) begins its attack with a well-conceived spear-phishing email, according to the Polish alert.

"Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts," authorities explained. "The correspondence contained an invitation to a meeting or to work together on documents."

The message would then direct the recipient to click on a link or download a PDF to access the ambassador's calendar, or get meeting details — both send the targets to a malicious site loaded with the threat group's "signature script," which the report identifies as "Envyscout."

"It utilizes the HTML-smuggling technique — whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim's device," Polish authorities added. "This makes the malicious file more difficult to detect on the server side where it is stored."

The malicious site also sends the targets a message reassuring them they downloaded the correct file, the alert said.

"Spear-phishing attacks are successful when the communications are well written, use personal information to demonstrate familiarity with the target, and appear to come from a legitimate source," Patrick Harr, CEO of SlashNext, tells Dark Reading about the campaign. "This espionage campaign meets all of the criteria for success."

One phishing email, for instance, impersonated the Polish embassy, and, interestingly, throughout the course of the observed campaign, the Envyscout tool was tweaked three times with obfuscation improvements, the Polish authorities noted.

Once compromised, the group uses modified versions of Snowyamber downloader, Halfrig, which runs Cobalt Strike as embedded code, and Quarterrig, which shares code with Halfrig, the Polish alert said.

"We are seeing an increase in these attacks where the bad actor uses multiple stages in a campaign to adjust and improve success," Harr adds. "They employ automation and machine learning techniques to identify what is evading detection and modify subsequent attacks to improve success."  
Governments, diplomats, international organizations, and non-governmental organizations (NGOs) should be on high alert for this, and other, Russian espionage efforts, according to Polish cybersecurity authorities.

"The Military Counterintelligence Service and CERT.PL strongly recommend that all entities that may be in the actor's area of interest implement configuration changes to disrupt the delivery mechanism that was used in the described campaign," officials said.

**Russian-Linked Attacks on Canada's Infrastructure**

Besides warnings from Polish cybersecurity officials, over the past week, Canada's Prime Minister Justin Trudeau made public statements about a recent spate of Russian-linked cyberattacks aimed at Canadian infrastructure, including denial-of-service attacks on Hydro-Québec, electric utility, the website for Trudeau's office, the Port of Québec, and Laurentian Bank. Trudeau said the cyberattacks are related to Canada's support of Ukraine.

"A couple of denial-of-service attacks on government websites, bringing them down for a few hours, is not going to cause us to rethink our unequivocal stance of doing whatever it takes for as long as it takes to support Ukraine," Trudeau said, according to reports.

The Canadian Centre for Cyber Security boss, Sami Khoury, said at a news conference last week that while there was no damage done to Canada's infrastructure, "the threat is real.""If you run the critical systems that power our communities, offer Internet access to Canadians, provide health care, or generally operate any of the services Canadians can't do without, you must protect your systems," Khoury said. "Monitor your networks. Apply mitigations."

**Russia's Cybercrime Efforts Rage On**

As Russia's invasion of Ukraine wages on into its second year, Mike Parkin with Vulcan Cyber says the recent campaigns should hardly be a surprise.

"The cybersecurity community has been watching the fallout and collateral damage from the conflict in Ukraine since it started, and we've known Russian and pro-Russian threat actors were active against Western targets," Parkin says. "Considering the levels of cybercriminal activity we were already dealing with, \[these are\] just some new tools and new targets — and a reminder to make sure our defenses are up to date and properly configured."

Russian SolarWinds Culprits Launch Fresh Barrage of Espionage Cyberattacks

Detailing how extended IoT (xIoT) devices can be used at scale by attackers to establish persistence across networks and what enterprises should start doing about the risk.

Extended IoT devices (xIoT) stand as a perennial favorite for cyberattackers seeking to move laterally and establish persistence within enterprise networks. They've got everything the bad guys need for a foothold: They're grossly under secured, they're present in large numbers (and in sensitive parts of the network), and, crucially, they're typically not well monitored.

In an upcoming session at RSA, security researcher and strategist Brian Contos will walk his audience through the ways that these devices can be used to create very broad attacks against enterprise resources, along with what security strategists should be doing to counter the risk.

"I'll be doing some xIoT hacking demonstrations, because everybody likes to see things broken into," says Contos, chief strategy officer for Sevco Security. "But in the xIoT world it's quite easy to compromise, so I won't focus on that but instead on how it can be used as a pivot point to attack on-prem devices, in-cloud devices, to steal sensitive data, maintain persistence, and evade detection."

His goal is to show the entire life cycle of the attack in order to demonstrate the weighty ripple effects that are in the offing from leaving xIoT devices unmanaged and unmonitored in enterprise environments.

**The Prevalence of xIoT Insecurity**

As Contos explains, xIoT devices typically fall into three device categories that all proliferate significantly in business environments. The first are the enterprise IoT devices like cameras, printers, IP phones, and door locks. The second are operational technology devices like industrial robots, valve controllers, and other digital equipment that control physics in industrial settings. The third — and often least remembered — are general network devices like switches, network attached storage, and gateway routers.

"The thing all of these devices have in common is that they're all purpose-built devices, created for one specific purpose," he notes. "They're network connected, and you can't install any additional 'stuff' on them. So, you can't put a firewall or an IPS, or antimalware on them. So, all of the traditional IT controls don't necessarily fit well in this world of xIoT."

He says his research over the last couple years has shown that in the typical enterprise network, there are usually three to five xIoT devices per employee floating around. In some industries — such as oil and gas or manufacturing, that number can scale upward to more like five to six devices per employee. So a manufacturing company with 10,000 employees could easily be looking at 50,000 of these devices on their network.

"And what you're going to find is that about half of those are running a default password, which takes all of a half a second for me to look up on Google," he says. "If I Google, 'What's the default password on an APC UPS system, it will tell me the default username is 'apc' and the default password is 'apc.' And I can tell you from experience, I have yet to have ever seen an APC UPS system in the wild that doesn't have 'apc-apc' as the username and password."

On top of that, he explains that more than half of xIoT devices are also running critical-level CVEs that require little to no hacking expertise to leverage remotely and gain root privileges on the devices.

"Because of the volume, if you don't get into the first 1,000 to 2,000 devices, chances are you are going to get into the next 1,000 to 2000," he says.

**The Lessons Learned**

Contos' hacking demonstrations will dive into how a different device from each of the xIoT device categories can be used for a myriad of attack purposes, from turning off power to destroying an asset, and exfiltrating sensitive data to expanding attack reach across a network. He will share information on xIoT hacking tools that nation-state actors have built and explain how the threat actors are putting serious money into investing in these kinds of attacks.

"I want the audience to understand how easy it is and to understand this is a risk that requires some focus within their organization," he says.

As a part of the discussion, Contos will discuss countermeasures that include solid asset management, identity management, and patch management around xIoT, as well as compensating controls like segmentation and MFA in order to harden the xIoT attack surface. He also says he hopes to explain that defenses shouldn't be planned "in a bubble." This is not the kind of security measure that should be developed by a special task force that's removed from cloud security and other security groups, in other words.

"This should all be integrated because all of these devices touch each other," he says. "It should be part of one larger approach."

Why xIoT Devices Are Cyberattackers' Gateway Drug for Lateral Movement

Google has opened up its software-dependency database, adding to the security data available to developers and toolmakers. Now developers need to use it.

Developers interested in gauging the security of open source components have an abundant number of choices, but they still have to choose to use the information to audit the components in their applications, experts say.

On April 11, Google announced its deps.dev API service, which includes security metadata that covers more than 5 million components across five software ecosystems, including the main open source repositories for Go, Java, Python, JavaScript, and Rust. The data is accessible through both the company's deps.dev website and a dataset that can be queried through a new API.

Developers can use the information to help choose packages, integrated development environments (IDEs) could offer security metrics as a developer works, and application-security tool makers could add the information to the list of sources they use to offer verdicts on the security and maintainability of open source software components, says Nicky Ringland, product manager for Google's Open Source Security Team.

"It could also mean looking at reporting after the fact ... and perhaps discovering some dependency challenges that they need to address," she says. "Ultimately, being able to check a potentially very large set of dependencies across multiple language ecosystems for security or licensing issues, automated and at scale ... is a powerful tool that we hope will benefit the whole ecosystem."

The Google deps.dev service's release comes as software developers, application security firms, and the US government work to find ways to improve the security of the open source software ecosystem. The exploitation of vulnerabilities in the Log4j logging package for Java — which is expected to be an "endemic vulnerability," according to the US Department of Homeland Security's Cyber Safety Review Board (CSRB) — underscores the importance of not only minimizing vulnerabilities in open source packages, but also eliminating the use of vulnerable packages.

A variety of efforts are already underway to give open source projects more tools to improve security and communicate their own dependencies, but developers must make security a priority and use information to know which components to download, says Brian Fox, co-founder and chief technology officer of software security firm Sonatype. The firm discovered that when a developer "consumes" a software component that has a vulnerability, 96% of the time a fix was already available.

"In other words, the problem is not really about our open source projects doing a good job. The Log4j team turned a patch over Thanksgiving weekend — in days, right — probably faster than most companies would have been able to do the same for a commercial project," he says. "We need to do a better job. Organizations that are consuming open source are doing a terrible job of making these decisions."

**A Feast of Dependency Data**

Google's deps.dev service adds another source for developers to search for information on open source components, but it is far from the only one. Sonatype revamped its OSS Index in 2018, modernizing the service to provide access to security and maintenance data on millions of software projects from 14 different ecosystems, such as the RubyGems package system for Ruby and the RPM Package Manager for Linux, in addition to the five covered by Google.

Other services, such as OpenText's Debricked, also offer a view into their own dependency datasets, tagging the projects and offering measures of popularity, contributor activity, and security.

The data should allow any developer to make better decisions but also give toolmakers another source of data to improve their guidance for software programmers, says Google's Ringland.

"Our intent for the API is that it is usable for anything from quick one-off scripts to complex tooling, like editor plug-ins or build system integrations," she says. "We see real appetite for this data — in everything from IDEs to CI/CD systems to audit dashboards — and are excited to be bringing critical security information to developers, CISOs, open source maintainers, and more."

Endor Labs, which focuses on helping developers make better choices using software dependency data, already uses deps.dev as one of its sources, but it lauded the more streamlined database access. Endor Labs pairs such data with extensive analysis to minimize false positives, such as when an application uses an open source library but not the vulnerable functions in that library.

The company also intends to make its own dependency information more accessible through DroidGPT, a ChatGPT-based service that makes risk data searchable in a conversational way, says Varun Badhwar, CEO and co-founder of Endor Labs. The goal is to reduce the amount of work to select and manage open source dependencies because selecting the wrong ones can create a great deal of future work — otherwise known as technical debt.

"Technical debt is typically created when developers are asked to constantly patch and fix vulnerabilities in open source code, despite most of that code not actually being in use," Badhwar says. "The way to reduce technical debt with OSS is by selecting better dependencies and prioritizing risk that actually matters."

**SBOM + Dependency Data = Better Software Security**

The dependency data will really start to be useful as developers and toolmakers begin combining the data with the software bill of materials (SBOMs) that are increasingly being created by development tools.

SBOMs can help organizations and development teams by illuminating their use of open source libraries, such as whether they are using five different encryption libraries or 12 loggers, says Sonatype's Fox.

"They have that shock moment when they realize they're using a dozen, 15 different components that all do the same thing," Fox says. By combining SBOMs and security data, "I can look at the whole entirety of my portfolio and start reasoning about it."

Adding security data to that allows companies to make better choices about how to streamline their software selection, and tools — such as the publicly available Security Scorecard — or commercial services can help, Endor Labs' Badhwar says.

"As the effort starts to span multiple teams and requires much engineering effort, and as they look to start reducing development effort on false positive security alerts, companies will find better ROI with \[these\] tools," he says.

Source

DARKReading