Diverse ecosystem of global technology, finance, and university leaders join as first OpenWallet Foundation Members, many more expected.

**BRUSSELS and SAN FRANCISCO, February 23,  2023 --** Linux Foundation Europe, an independent trusted supporter and vendor-neutral home for open source projects in Europe, today announced the official formation of the OpenWallet Foundation (OWF). This new, collaborative effort will develop open source software to support interoperability for a wide range of wallet use cases, including making payments, proving identity, storing validated credentials such as employment, education, financial standing, and entitlements — to enable trust in the digital future. 

Inaugural Premier members sponsoring the OWF include Accenture, Gen, Futurewei and Visa. General members sponsoring the foundation include American Express, Deutsche Telekom / T-Systems, esatus AG, Fynbos, Hopae, IAMX, IDnow, IndyKite, Intesi Group, Ping Identity, SmartMedia Technologies (SMT), Spruce and Swisscom. 

Additionally, 20 leading nonprofits and academic and government entities have joined the foundation, including Customer Commons, Decentralized Identity Foundation (DIF), Digital Identification and Authentication Council of Canada (DIACC), Digital Dollar Project, Digital Identity New Zealand (DINZ), Digital Identity and Data Sovereignty Association (DIDAS), DizmeID Foundation (DIZME), Hyperledger Foundation, Information Technologies ics and Telematics Institute / Centre for Research and Technology Hellas (CERTH/ITI), Johannes Kepler University Linz, ID2020, IDunion SCE, Mifos Initiative, MIT Connection Science, Modular Open Source Identity Platform (MOSIP), OpenID Foundation, Open Identity Exchange (OIX), Secure Identity Alliance (SIA), Universitat Rovira i Virgili, and the Trust Over IP Foundation (ToIP).

The OWF will not publish a wallet itself, nor offer credentials or create new standards. Instead, its open source software engine aims to become the core that other organizations and companies leverage to develop their own digital wallets. The wallets will seek feature parity with the best available wallets and interoperability with major cross-border projects such as the EU’s Digital Identity Wallet.

"Wallets are critical infrastructure for payments, for identity, and for secure access. Open source  — driven by collaboration among for-profits large and small, non-profits, and government leaders — is a great role model for infrastructure that is vital for digital societies and benefits everyone," said Daniel Goldscheider, founder of the OpenWallet Foundation. "With open source at the core of wallets, like it is at the core of web browsers, anyone can build a digital wallet that works with others and gives consumers the freedom to maintain their identity and verifiable credentials and share relevant data when, where, and with whom they choose."

With such a consequential and diverse group of members, OWF underscores how important it is to have an open foundation to support a plurality of digital wallets to ensure consistency, interoperability, and portability while protecting consumer privacy.

"The world needs a place to store digital assets that matter, and the work of this foundation has the potential to redefine the credentials landscape globally, creating in turn much better digital experiences for people everywhere and new market opportunities," said Gabriele Columbro, general manager of Linux Foundation Europe. "The EU has been a leading force in data privacy and consumer protection, and efforts like OWF offer a concrete opportunity for policy makers to 'shift left' their engagement, enabling a continuous and transparent feedback cycle between regulations and regulated technology. That’s why we are honored to bring such a relevant group of cross-industry players together in OWF under Linux Foundation Europe."

The OWF is the second project hosted by Linux Foundation Europe. Project Sylva was added in November 2022 to create an open source telco cloud software framework. 

Launching in tandem with OWF is a new report, Why the World Needs an Open Source Digital Wallet Right Now, from the OWF in partnership with Linux Foundation Research. The report notes:

*   Digital wallets are the world’s leading payment method for e-commerce and  point-of-sale retail. In 2021, the value of digital wallet transactions came to $15.9 trillion. 
*   Hundreds of digital wallets exist, but suffer from a host of problems, including vendor lock in, no interoperability, questionable security, and limited capabilities.
*   New wallets are underway, too, but without them all staying in sync, every country or organization that issues credentials could become a walled garden. IDs and wallets from elsewhere won’t work, disrupting travel, international students, and mobile workforces. 
*   The future will include multiple wallets, which is why we need a world-class wallet engine to ensure that interoperability is built in.

Quotes from inaugural members are available here.

For more information about the project and how to participate in this work, please visit: openwallet.foundation.

Join Open Wallet Foundation members for a livestream and Q&A on February 23rd, at 5:00 pm CEST/11:00 am ET. Register here.

**About Linux Foundation Europe**

Linux Foundation Europe was launched in September 2022 to facilitate open collaborations originating in Europe that succeed on a global scale, supporting one of the largest and most influential open source ecosystems in the world. The Linux Foundation and Linux Foundation Europe together are supported by more than 3000 members internationally. The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger Foundation, PyTorch, RISC-V, and more. Linux Foundation Europe methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.eu.

Linux Foundation Europe Announces Formation of OpenWallet Foundation

Through its Cybersecurity Assurance Program, UL Solutions is helping the automotive industry advance cybersecurity management systems for connected vehicle technologies.

**NORTHBROOK, Ill.****,** **Feb. 23, 2023** **/PRNewswire/ --** UL Solutions, a global leader in applied safety science, today announced it issued the first Cybersecurity Assurance Program Certificate for ISO/SAE 21434:2021, Road Vehicles — Cybersecurity Engineering to LG Innotek. The UL Solutions Cybersecurity Assurance Program (CAP) Certificate recognizes that LG Innotek's cybersecurity management system meets the requirements of the ISO/SAE 21434:2021 standard, which was introduced last year.

Cybersecurity is increasingly crucial for occupant protection as road vehicles become more connected and less isolated. Without a compliant cybersecurity management system, connectivity technology can leave road vehicles more vulnerable to automotive cybersecurity risks and ultimately affect the safety of the driver and passengers.

UL Solutions helps automotive original equipment manufacturers (OEMs) and suppliers assess cybersecurity risk throughout the complete product life cycle to help them identify problems earlier in the design phase before discovering issues in the final product.

"Cybersecurity risk management frameworks empower manufacturers to demonstrate that they prioritize cybersecurity and have mitigation measures in place in case of incidents or breaches," said Jody Nelson, managing director of Automotive Cybersecurity and Functional Safety at UL Solutions. "This proactive approach builds trust among buyers, which is fundamental to building valued brands. Congratulations to LG Innotek for achieving the first CAP certificate issued for the automotive industry. This milestone showcases LG Innotek's commitment to building a process that meets requirements set by current automotive cybersecurity standards."

The 2021 Global Automotive Consumer Study from Deloitte revealed that the majority of more than 24,000 consumers surveyed are concerned about someone hacking into their connected car systems and compromising their safety. Among consumers participating in the study, 66% in India, 64% in the United States and 58% in China indicated concerns regarding automotive cybersecurity risks.

Given the rapidly growing complexity of connected vehicles, it is increasingly challenging to eliminate cybersecurity risks. As a result, emerging regulations, such as ISO/SAE 21434:2021 and UN Regulation No. 155, Cybersecurity and Cybersecurity Management System, guide developing a risk management framework designed to assess risk early in the development phases, address cybersecurity challenges as they present themselves and track progress over time.

"Cybersecurity risk management proves critical to successfully delivering quality automotive components and connected vehicles in both commercial and passenger segments," Nelson said. "In today's world, security is intrinsic to quality. Our security experts offer a cross-functional technical experience to support the global automotive industry and suppliers such as LG Innotek in the shift toward connected vehicles."

ISO/SAE 21434:2021 specifies engineering requirements for cybersecurity risk management regarding the concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces. The standard defines a framework that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk.

**About UL Solutions**  
A global leader in applied safety science, UL Solutions transforms safety, security and sustainability challenges into opportunities for customers in more than 100 countries. UL Solutions delivers testing, inspection and certification services, together with software products and advisory offerings, that support our customers' product innovation and business growth. The UL Certification Marks serve as a recognized symbol of trust in our customers' products and reflect an unwavering commitment to advancing our safety mission. We help our customers innovate, launch new products and services, navigate global markets and complex supply chains, and grow sustainably and responsibly into the future. Our science is your advantage.

SOURCE UL Solutions

UL Solutions Issues Automotive Cybersecurity Assurance Program Certificate to LG Innotek

Generative AI is heating up everywhere and fundamentally changing everything we know about how cybercriminals develop and deploy attacks.

There has been a lot of talk about generative AI and chatbots like ChatGPT launching cyberattacks. What does that mean for the future of cybersecurity, and how can organizations prepare?

Threat actors are using ChatGPT to launch cyberattacks now. ChatGPT allows threat actors to increase the speed and variation of their attacks by modifying code in malware or creating thousands of variations of social engineering attacks to increase the probability of success. As machine learning technologies advance, so will the variety of ways this technology is used for malicious intent.

Generative AI is heating up everywhere and fundamentally changing everything we know about how cybercriminals develop and deploy attacks with increased speed and variations. The possible uses of AI for malicious intent are in their infancy. AI-powered technologies that leverage generative AI and diffusion models can modify the appearance of video and voice. They will most likely be used for cyberattacks, resulting in unfortunate consequences for organizations.

A race to develop new technologies leveraging AI is happening in voice (written and verbal), video, and more, as is evidenced by OpenAI's ChatGPT, Google's Bard, and Microsoft's AI-powered Bing. All are large language models that exponentially accelerate access to knowledge and rapidly generate new forms of content based on that contextualized knowledge. These tools rely on big data sets and the quality of those data sets.

While ChatGPT has the initial lead as the fastest-growing tool in history, don't bet against Google's ability to surpass ChatGPT in the future. It will certainly be a race, unlike anything we've seen before. As these new technologies become available, they will be used by organizations and cybercriminals, and both sides will use them to perpetrate and stop cybercrime. The abuse of AI is something we knew would happen for a long time, which is why SlashNext engineers have been developing natural-language generative AI technology for a few years in anticipation of these types of changes in the threat landscape.

**How Real the Generative AI Threat Is and How Organizations Can Prepare**

Generative AI, chatbots, and diffusion models are all developments in AI that present a real danger to users and businesses. Right now, ChatGPT, in particular, is a real enhancement to malware, business email compromise (BEC), and ransomware threat development. Cyberattacks are most dangerous when delivered with speed and frequency to targets.

With malware, ChatGPT enables cybercriminals to make infinite code variations to stay one step ahead of the malware detection engines. BEC attacks are target attempts to social engineer a victim into giving valuable financial information or data. These attacks require personalized messages to be successful. Now ChatGPT can create well-written, personal emails en masse with infinite variations. The speed and frequency of these attacks will increase and yield a higher success rate of user compromises and breaches. Legacy security technology doesn't stand a chance against these types of attacks. 

We must fight AI cyber threats with AI cybersecurity technology. When cybercriminals launch successful attacks, the results are massively disruptive to people, organizations, and the economy. The No. 1 cyber challenge that organizations face globally is human-focused attacks. Cybercriminals are increasing their attacks in LinkedIn, Microsoft Teams, Messenger, and Slack and taking advantage of the most vulnerable part of organizations: its people.

Many organizations are already using AI-based cybersecurity products to manage detection and response. AI technologies with generative AI will become essential technology to stop hackers and breaches. As new technology becomes available, hackers and cybersecurity vendors will use it to perpetrate and stop cybercrime. The abuse of AI is something we knew would happen for a long time, which is why SlashNext has been developing a natural-language generative AI technology for a year and a half in anticipation of these types of threats.

ChatGPT is not new, but OpenAI is the first to make an interface, so it's more accessible. ChatGPT is not the technology to fend off threats designed with ChatGPT. Still, generative AI technology, which makes ChatGPT possible, will be used to develop cyber defenses capable of stopping malware and BEC threats developed with ChatGPT. 

**About the Author**

    

Patrick Harr is the CEO of SlashNext, an integrated cloud messaging security company using patented HumanAI™ to stop BEC, smishing, account takeovers, scams, malware, and exploits in email, mobile, and Web messaging before they become a breach.

Generative AI Changes Everything We Know About Cyberattacks

A previously unidentified threat group uses open source malware and phishing to conduct cyber-espionage on shipping and medical labs associated with COVID-19 treatments and vaccines.

A previously unknown threat actor that exclusively uses a slew of publicly available and living-off-the-land tools has been targeting Asia-based shipping companies and medical laboratories in an intelligence-gathering operation since October, researchers have found.

Dubbed Hydrochasma by researchers at Symantec, which is owned by Broadcom Software, the group as yet does not appear to have stolen any data, but seems to target industries that are involved in COVID-19-related treatments or vaccines for cyberespionage, Symantec's Threat Hunter Team wrote in a blog post published this week.

"While Symantec researchers didn't observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data," researchers wrote.

Judging by its tools and tactics, the group's chief motive appears to be achieving persistent access to victim machines without being detected, "as well as an effort to escalate privileges and spread laterally across victim networks," they noted.

Indeed, the lack of custom malware lends itself to this motive, Brigid O Gorman, senior intelligence analyst with Symantec Threat Hunter team, tells Dark Reading.

"The group's reliance on living-off-the-land and publicly available tools is notable," she says. "This may tell us a number of things about the group, including a desire to stay under the radar and make attribution of their activity more difficult."

**How Hydrochasma Attacks**

Researchers first were alerted to concerning activity on the victim's network when they noticed the presence of SoftEther VPN, a free, open source, and cross-platform VPN software often used by attackers.

Like many other threat groups, Hydrochasma appeared to use phishing as its means of initial access to a targeted network. Indeed, phishing remains one of the most successful ways for attackers to compromise networks, and it continues to grow and evolve at a fast clip.

In this case, the first sign of suspicious activity that researchers found on victim machines was a lure document with a file name in the organization's native language that appeared to be an email attachment for a freight company "product specification," they said. Researchers also found a lure that mimicked a resume for a "development engineer."

Once Hydrochasma gains access to a machine, attackers drop a Fast Reverse Proxy, a tool that can expose a local server protected by a network address translation (NAT) or firewall to the Internet. That in turn drops a legitimate Microsoft Edge update file. That's followed up by another file that's actually a publicly available tool called Meterpreter — which is part of the Metasploit framework — that can be used for remote access, researchers said.

**Everything But the Kitchen Sink**

In fact, in the campaign that researchers observed, the group bombarded the victim organization with what seemed like everything but the kitchen sink in a flurry of publicly available tools aimed to guarantee its presence and persistence on the network.

"It is relatively unusual to see an attack group using only open source malware in an attack chain, so this did make Hydrochasma's activity stand out to us," O Gorman notes.

Other tools being wielded by Hydrochasma in the attack included: Gogo scanning tool, an automated scanning engine; Process Dumper, which allows attackers to dump domain passwords; AlliN scanning tool, which can be used for lateral penetration of the intranet; and Fscan, a publicly available hacktool that can scan for open ports and more.

Researchers also observed Hydrochasma using Cobalt Strike Beacon, a legitimate pen-testing tool that attackers also have widely adopted for executing commands; injecting, elevating, and impersonating processes; and uploading and downloading files on victim networks. The group also deployed a shellcode loader and a corrupted portable executable in the attack.

Their assault on the victim network didn't stop there, however; additional tools that researchers observed being used in the attack included: Procdump, for monitoring an application for CPU spikes and generating crash dumps; BrowserGhost, which can grab passwords from a browser; the tunneling tool Gost proxy; Ntlmrelay for intercepting validated authentication requests to access network services; and HackBrowserData, an open source tool that can decrypt browser data.

**Avoiding Compromise**

Symantec included both file and network indicators of compromise in its blog post to help organizations identify if they're being targeted by Hydrochasma.

The extensive use of dual-use and living-off-the-land tools by the group highlights the need for organizations to have a comprehensive security solution to detect suspicious behavior on network machines, as well as stop malware, O Gorman says: "Organizations should adopt a defense in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain," she tells Dark Reading. "Organizations should also be aware of and monitor the use of dual-use tools inside their network."

In general, Symantec also advises implementing proper audit and control of administrative account usage, as well as the creation of profiles of usage for admin tools, "as many of these tools are used by attackers to move laterally undetected through a network," O Gorman adds.

Hydrochasma Threat Group Bombards Targets With Slew of Commodity Malware, Tools

A novel threat group, utilizing new malware, is out in the wild. But the who, what, where, and why are yet to be determined, and there's evidence of a false-flag operation.

On Feb. 22, Symantec revealed evidence of a previously undocumented threat actor it's calling "Clasiopa." Clasiopa has been observed deploying a unique malware backdoor called "Atharvan" in its campaign against a materials manufacturer based in Asia.

"From what we can see, the main motivation of the attack was spying or information theft," Dick O'Brien, principal intelligence analyst at the Symantec Threat Hunter Team, tells Dark Reading. Symantec declined to elaborate on the nature of the victim, the files, or whether the attackers were successful.

**Clasiopa's Stealth Tactics**

Clasiopa's initial intrusion vector is not certain, "although," the researchers noted, "there is some evidence to suggest that the attackers gain access through brute-force attacks on public-facing servers."

The report highlights a few hallmarks of the attack, including checking the IP address of target computers, using "multiple backdoors to build lists of file names and exfiltrate them," clearing multiple event logs on the target system, and running a vaguely named task — "network service" — to list file names.

Two commercial programs also made their way into the maelstrom: the Agile File Distribution Management system, from developers Jiangsu Agile Technology in China, and Domino, from HCL software (though the latter may have been included coincidentally).

Altogether, these methods — the backdoors, the erased logs, the commercial software — begin to tell a story. "They're certainly an attempt at stealthy tactics," O'Brien says. "These kinds of tactics are by no means unique and a lot of similar threat actors will do something similar, with varying levels of success depending on their skills and resources."

"In this case," he adds, "they still left enough evidence behind to piece together much of what they'd done."

That said, some of the evidence the group left behind may have been intentional, meant to point researchers in a specific attribution direction.

**Who Is Clasiopa?**

The clues to learning about Clasiopa may lie in its unique malware, Atharvan — "a classic backdoor," as O'Brien says. "It allows the attackers to maintain an open communication channel with the infected computer, install additional tools, and send back information to the attackers."

Function aside, its name may be its most notable feature. The name derives from "SAPTARISHI ATHARVAN-101," a mutual exclusion object ("mutex") the malware creates after infecting a target machine, to ensure multiple copies of itself aren't running at once. "Saptarishi," in ancient Indian astronomy, is the word for the arrangement of stars in the Big Dipper. Atharvan is the name of a mythic Hindu sage.

And there was another breadcrumb indicating Indian origin. One of the passwords Clasiopa used for a zip archive was iloveindea1998^\_^.

However, these clues are actually _so_ obvious that they invite suspicion. "While these details could suggest that the group is based in India," the researchers hypothesized, "it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue."

Many other details about the group remain undisclosed or unknown. This may be in part due to the stealth tactics utilized in the campaign, some subtle and some overt. For now, threat analysts should stay tuned: To learn anything more about Clasiopa, we may need to wait until it strikes again.

Unanswered Questions Cloud the Recent Targeting of an Asian Research Org

Cybercriminals and hacktivists have joined state-backed actors in using sabotage-bent malware in destructive attacks, new report shows.

The increased use of disk wipers in cyberattacks that began with Russia's invasion of Ukraine early last year has continued unabated, and the malware has transformed into a potent threat for organizations in the region and elsewhere.

Researchers at Fortinet recently analyzed attack data from the second half of 2022 and observed a startling 53% increase in threat actor use of disk wipers between the third and fourth quarters of the year. The trajectory suggests there will be no slowing down any time soon, the security vendor said.

Russia-based advanced persistent threat (APT) groups — working in support of the country's military objectives in Ukraine — accounted for a lot of the initial surge in wiper use and continued activity last year. However, Fortinet's data shows that others, including financially motivated cybercriminals, hacktivist groups, and other individuals fueled the increase as well, especially toward the end of 2022.

Leading up to last year, wiper activity tended to be almost nonexistent, according to Geri Revay, security researcher with Fortinet's FortiGuard Labs. But since the conflict between Russia and Ukraine started, threat actor use of the malware has exploded, he says. 

"In 2022 alone we saw 16 different families targeted at 25 countries around the world," Revay says. "In the second half of the year, we also started seeing a new breed of wipers, with some even open source and on GitHub, making it much more readily available for advanced persistent cybercrime campaigns," he says.

**A Wiper Malware Medley**

Fortinet's report highlights several wiper families that it perceives as presenting a major threat to organizations based on threat actor use over the past year. Among the biggest of them is HermeticWiper, a wiper that erases and overwrites a compromised system's master boot record. The wiper first surfaced in attacks against Ukrainian organizations in 2021. Fortinet said it observed a significant spike in activity last year involving HermeticWiper in November that become even more pronounced in December.

Other wipers that the security vendor observed threat actors using widely in attacks last year include WhisperGate, a malware strain that looks like ransomware on the surface but has no data recovery mechanism; NotPetya; DoubleZero; and IsaacWiper. Analysts have previously identified Russia's military intelligence group as likely being behind WhisperGate. Interestingly, Shamoon, a wiper that was used in an attack that bricked thousands of PCs at Saudi Aramco more than a decade ago, also remained popular among actors last year. Fortinet's data showed Shamoon to be one of the most widely used wipers in destructive attacks last year.

Currently, the main motivation for the use of wiper malware appears to be focused around cyberwar and hacktivism, Revay says. But that doesn't mean threat actors won't use it in other ways, like using wipers to sabotage systems or to destroy evidence of a cybercrime.

"Sabotage is the most obvious reason to deploy a wiper," Revay notes. "Just as Stuxnet was used to destroy centrifuges to slow down Iran's efforts to develop nuclear weapons, wiper malware could be used to destroy data, sabotage development, cause financial loss, or just cause chaos." And using wipers to destroy evidence, while noisy, also gets the job done for attackers and is much simpler than removing all log files and malware, he says.

**New Breed of Wipers**

Fortinet's report is among several that have highlighted a sharp increase both in disk wiper use and disk wiper variety over the past year. While Fortinet's research showed that threat actors used 16 wiper families in attacks last year, another report from Max Kersten, a malware analyst at Trellix, identified more than 20 wiper families that threat actors used in destructive attacks last year.

Ukrainian organizations remain primary targets, as one recent attack against the country's main news agency involving the use of five separate wiper variants demonstrated. But organizations in other countries are under growing risk of attack, too. Fortinet, for instance, found WhisperGate and HermeticWiper were both most prevalent outside Europe. More organizations in Africa and Asia experienced attacks involving the two wiper families than organizations in Europe. And North America, overall, continues to experience the least wiper activity, the security vendor said.

"Most of the wiper attacks were targeting Ukrainian organizations in 2022, but that could easily have a spillover effect on other countries," Revay says. As an example, he points to one incident where an attack that targeted a Ukrainian satellite communication provider ended up taking 5,800 German wind turbines offline.

In terms of how to prepare and how to respond to a wiper attack, "it is very similar to a ransomware incident," Revay tells Dark Reading. "If the ransom is not paid, which is the recommended approach, a ransomware can be also considered a wiper, because without the decryption key the encrypted data is as good as lost."

Wiper Malware Surges Ahead, Spiking 53% in 3 Months

Security Pro File: The old-school hacker traces a path from young hardware tinkerer to senior cybersecurity executive.

Before he was Space Rogue, before L0pht, before testifying in front of Congress about what used to be a very unknown risk of networked computers, and before he embarked on a career in cybersecurity, he was just young Cris Thomas with a homemade flashlight.

Growing up in a mobile home in rural Maine in the 1970s, Thomas didn't have a whole lot of access to technology in his early years. But at the tender age of five, armed with a hammer and a worn-out sealed alkaline flashlight — the kind that you threw away after the batteries lost their juice — he was able to first learn the basics of electrical circuits. Cannibalizing parts from those flashlights and adding C and D cell batteries and wires consisting of garbage bag twist ties, he was in business with his very own lighting device.

That kind of tinkering is the very essence of a hacker's modus operandi, and it was the start of his love affair with hacking and his eventual profession as a cybersecurity leader. Over the years, Thomas has done stints at the likes of Trustwave Security, Tenable, and almost six years now at IBM as Global Lead of Policy and Special Initiatives. But at its root his beginnings have all the same flavor of self-directed experimentation and trial-and-error with his flashlight. His route was circuitous and full of ups and downs, but he says that in some ways it was easier for him to go down that path than those trying to get their break in cybersecurity today without the traditional path straight from college.

"There's still people who are trying to break into the industry with little to no formal education, and the debate of college or certifications is still raging. So, I think getting into the industry, from an austere beginning and maybe even skipping the formal education and being self-taught — it is possible," he says. "It's a lot more difficult today, because I think people put a lot of importance on the college degree and the formal education, and so it's hard to get around that stigma."

After early grade school he moved to a bigger town, was exposed to computers in bits and pieces, and mastered the basics of BASIC from chance encounters, clubs, and high school computer class. But it wasn't until he was in the Army that he was able to buy his very own computer, a Mac SE he bought on credit from a store nearby his base. It was from this machine he dug further into programming and got synced up with his first local user group, a Mac HyperCard user group. From there he branched out into BBSs and began to tap into the burgeoning Internet hacker subculture. After the Army and a brief stint at Boston University, he took the handle Space Rogue, dialing into the Boston BBSs. Many of those had a whole underground world of in-person meet-ups attached to them. Running in those circles — plus holding down a job at a local CompUSA where a number of local hackers worked — is what would eventually lead Space Rogue to the ragtag group of hackers called L0pht.

**Remembering the L0pht**

A collective of elite hackers and a hackerspace rolled into one, the L0pht is one of those storied groups that's inextricably tied in with the infancy of the cybersecurity industry. In a book published this month, _Space Rogue: How the Hackers Known as L0pht Changed the World_, Thomas writes the memoir of his winding journey to hacking and his membership in the group.

Space Rogue was one of the earliest members and was heavily involved in the group's adventures and hacking experimentation. He was there for its evolution into what would become L0pht Heavy Industries, its release of the L0phtCrack password-cracking tool, and its eventual sale to @Stake. Together with hackers like Mudge, Weld Pond, Kingpin, Dildog, tan, and Stefan von Neumann, they were on the bleeding edge of experimentation with hardware and software — partially from scavenging corporate dumpsters for equipment, partially from soliciting donations and picking up cool finds at the MIT Flea Market, where they also sold refurbished gear to partially fund their loft space. The crew ran their own NOC, experimenting with different forms of networking, and they shared files online through the early version of the L0pht.com server. Space Rogue ran the popular Whacked Mac Archives, a collection of software collected from underground systems and BBSs over the years. He did the books and paid the bills as an unofficial chief operating officer and was also instrumental in helping raise the profile of the group by founding and running Hacker News Network and helping to coordinate a lot of its work with the media.

The work the L0pht did for a very long time was simply a labor of love — the hackers had day jobs. In their off-hours time of experimentation they started learning how truly vulnerable systems are to manipulation and exploitation in ways unexpected by their creators. As the team evolved, they started picking up gigs writing custom signatures for the first incarnations of intrusion detection systems, issued advisories about vulnerabilities on their website and Bugtraq, and were courted by firms to do pen testing. For a long time they barely broke even, but their security chops did gain the attention of the federal government, and in 1998 Space Rogue and six other core members of the L0pht stepped in front of a Congressional panel to give one of the earliest public warnings about the state of insecurity of the online world.

Thomas does a great job detailing all of these happenings in his book, which offers a very personal and open account of his perspective on how things unfolded. He does a great job highlighting the personalities and mindsets of the different hackers he worked with or came across over the years, and is very relatable and vulnerable offering thoughts on his maturing perspectives on dealing with not just systems but also people. Readers get to follow along with his close connections with hacker friends, fallouts and reconciliations, and run-ins with difficult bosses, as well as career disillusionment and rebirth.

**What's in a Handle?**

Musing about the L0pht and his book recently, he notes that while his unconventional learnings and rise through cybersecurity could probably be emulated by newcomers, the rise of L0pht itself occurred during a very unique era in time and would be a whole heck of a lot more difficult to recreate.

"I mean, you can get a bunch of people together and rent some space and do some stuff, but getting the same attention would be harder because the bugs are harder to find now," he says. He explains that what L0pht did wasn't easy, but they found the low-hanging fruit in security flaws.

They also had a lot less red tape and legal and professional standards to navigate. Doing what they did back in the 1990s today would put most cybersecurity researchers in a lot of hot water.

"There's a lot more risk involved. I mean, there was risk then too, but if you're going to release information about a zero-day vulnerability to the public without a pseudonym, the risk of lawsuits is pretty high. Which is, again, one of the reasons why we were using the handles and the pseudonyms to begin with. But staying pseudonymous is a lot more difficult today than it was."

Thomas still cherishes and uses his Space Rogue handle — it's part of his online and professional persona. For example, his email address at IBM is based on that handle rather than his real name.

"I built a reputation as Space Rogue within the industry. I was the last member of the L0pht to actually start using their given name in professional settings," he says. "So it's only been a few years for me, really, that people have looked at the handle and been able to equate it to the given name easily."

These days, Mudge is known as Peiter Zatko, who worked at DARPA and Google in key roles, and most recently in the news as the Twitter whistleblower who drew attention to the social network's lacking security stance. Weld Pond is Chris Wysopal, who co-founded Veracode. Kingpin is Joe Grand, a well-known security researcher and author who runs Grand Idea Studio. But when they see each other, they'll always be Mudge, Weld, and Kingpin to him.

"And for the most part, people still address me as Space Rogue or SR. At work, people call me Space, and occasionally I'll get Mr. Rogue, but that's usually as a joke," he says. "My wife actually referred herself in a Twitter thread the other day as Mrs. Space Rogue."

**Looking Back at Industry Change**

All kidding aside about handles, Space Rogue is still as much of a concerned industry watcher as those days back at the L0pht, stepping in front of federal lawmakers.

"I've always been interested in policy and how legal ramifications are impacting the online world. Right now, I'm following a lot of actions of CISA, and I have to say that as a nation we're actually doing a great job," he says. "In the past, government has been behind schedule and playing catch-up, but I think CISA's actually taken a very good, proactive approach, which is a welcome change in the industry."

At the same time, though, he says that there's this dichotomy in cybersecurity where over the last 25 years, everything has changed but is also still the same. There's a ton more awareness now, not just from policy makers or industry insiders but just individual workers or non-tech business executives, about things like ransomware or phishing.

"Most people have to go through some sort of security training in their job, so the awareness factor is much higher," he says.

At the same time, though, the cybersecurity world is still knocking its head against the same problems it did decades ago.

"We're making stupid mistakes. We're using default passwords. We're designing flat networks. And these are the same problems that we had 25 years ago," he says. "So, it's a little bit of some and a little less of some other stuff. A lot of things have changed and gotten better, but a lot of things have still stayed the same as well."

**PERSONALITY BYTES**

**What he does for fun:** A lot of treasured hobbies mirror his hacking interests — his fun project at the moment is setting up a Raspberry Pi for his son to help him learn Python and picoCTF. "You can't get Raspberry Pis at the moment, so I've had to cannibalize some of my old projects to get him one that he can use."

**Non-hacking hobbies:** There was a time he was into making hard cider, but he moved and had less room for all of the equipment. Now he's turned his sights to rock tumbling. "My youngest got a rock tumbler last year and never used or was very interested in it. And I was like 'Well, if you're not going to use it, I'm going to.' Now I have four tumblers and I'm rotating rocks in the basement all the time."

**Quirky tidbits:** He says he's kind of an open book, and shares a lot of fun stuff with co-workers via Slack, so there's nothing they'd be surprised to know about him. But like many folks in the industry, he's got his quirky interests. "I'm a big Saturn car aficionado."

**Favorite day-to-day drink:** "I drink a lot of caffeine-free Diet Coke."

**How he tells people what he does for a living:** Per his book, he wrote, "I rarely blurt out 'Hi, I’m a hacker' when I first meet people. Trying to explain to people what I do for work can sometimes be tricky and lead into all sorts of long and sticky conversations, so I usually just say I work in computers."

Cris Thomas: Space Rogue, From L0pht Hacker to IBM Security Influencer

Eliminate passwords in user authentication workflow with Vault Vision's passkey features like facial recognition, fingerprint and pin verification on all modern devices.

**DENVER, Feb. 22, 2023 /PRNewswire-PRWeb/ --** Vault Vision, a leading user  
authentication platform for developers announced the launch of passkey  
authentication technology enabling secure and convenient logins on modern  
devices. Legacy passwords are central to website and app security, but 81% of  
hacking-related breaches leveraged either stolen and/or weak passwords. A Google  
study found that 75% of Americans are frustrated with passwords and 43% have  
shared their password with someone. Passkey auth aims to solve an inherent  
weakness in passwords with support from Apple, Google and Microsoft on all  
modern browsers and devices.  
For application users, passkey is an easier replacement for passwords. With  
passkey, users can sign in to applications with biometric authentication such as  
a fingerprint or facial verification, PIN, or pattern, unlocking them from  
having to remember and manage passwords. A user can sign into applications on  
all modern devices using a passkey, which can be created on a mobile phone and  
used to sign in to a website on a separate laptop. Passkey authentication makes  
it phishing-resistant and brute force attacks, and one the most secure  
authentication methods available today. Vault Vision's one click passwordless  
login drastically improves the user registration and login workflow with the  
addition of passkey.

For developers, Vault Vision's user authentication platform enables easy  
integration of passwordless logins into any website or application built on  
React, Node, Python, Go and low code platforms like Webflow. Developers can  
leverage Vault Vision's open sourced examples available as GitHub repos in  
React, Node, Python and Go, which can be deployed with auto-generated and  
pre-set copy-and-paste environment configuration stanzas. These repos offer an  
implementation insight into the integration flows with auth use cases. "Vault  
Vision is the only passwordless-first auth platform that does not require a  
password during setup." said Neil Proctor, CEO and Founder, Vault Vision. "Our  
technology enables developers to register without passwords and start creating  
local development environments with our user auth in less than a minute. For end  
users, the convenience of passwordless login drives user registration and login  
growth with facial recognition, fingerprint & pin based verification on all  
modern devices".  
The addition of passkey auth and passwordless logins makes Vault Vision's one of  
the most secure authentication platform with its privacy-first architecture.  
Vault Vision is the only authentication platform that protects end user privacy  
from password breaches by eliminating use of third-party scripts and low quality  
sdk's. With the average authentication tool employing an average of eight  
tracking elements, Vault Vision maintains zero third-party dependence  
eliminating vendor breach risk for developers and the ability to operate in  
air-gapped and secure operating environments.  
Vault Vision offers free developer sandboxes and expert help with your free  
trial, learn more here.**About Vault Vision**  
Vault Vision is a no code user authentication platform that enables developers  
to easily deploy user auth & passwordless logins on React, Python, Go, Node  
applications and low code platforms like Webflow. Vault Vision's authentication  
technology increases login engagement and drives user registration growth with  
OpenID Connect (OIDC), FIDO2 and passkey logins. End users benefit from Vault  
Vision's convenient authentication features like passkey facial recognition,  
fingerprint, pin based verification, OIDC logins for Apple, Google and  
Microsoft, two-factor auth (2FA), multi-factor auth (MFA), universal time-based  
one-time password (TOTP) auth, SSO with email and hardware key auth. Vault  
Vision's is a FIDO Alliance member and its user authentication technology is  
OpenID Certified.

Vault Vision Launches One Click Passwordless Logins With Passkey User Authentication

As a data security solution focused solely on SaaS ecosystems, Metomic will use the Series A funding round to expand into the U.S.

**London, England, February 22, 2023 –** Metomic, a next generation data security solution for protecting sensitive data in the new era of collaborative SaaS, announced today it has raised a $20 million Series A funding round. The round is led by Evolution Equity Partners with participation from Resonance and Connect Ventures. The investment will be used for U.S. expansion efforts and research and development initiatives. It will also allow Metomic to double down on its AI technology, furthering its mission to enable safer, more compliant data sharing across collaborative software-as-a-service (SaaS) ecosystems. 

Security, privacy and compliance teams use Metomic’s no-code workflows to automate data policies across their SaaS applications. This includes the ability to deliver real-time notifications directly to employees when they have uploaded sensitive data into the wrong environment, essentially enabling a human firewall across the organization.

Metomic’s funding round comes at a critical time as the SaaS ecosystem continues to grow. Research shows that SaaS app usage was up 18% last year, with businesses using, on average, more than 130 SaaS tools across the organization. The challenge comes from the lack of visibility and control companies have over what data employees are uploading in SaaS apps, and whom they are sharing it with. The result: PII (personally identifiable information), confidential information, and security credentials are being stored and exposed unnecessarily – often by accident. This presents a real risk and pain for organizations that rely on the productivity benefits of SaaS, but need to control and protect their most sensitive data. 

Metomic is giving organizations visibility and control of their data across collaborative SaaS applications, including Google Apps, Slack, Jira, and Zendesk by connecting to the data layer of these popular work tools. It allows security professionals to see what data is being stored, where it is, and who has access to it. Metomic’s automated processes are having a groundbreaking effect on how modern companies protect sensitive data at scale. 

"Security, IT and compliance teams have no visibility into the data employees are storing and sharing across third-party SaaS applications. They are suffering from alert fatigue and are overwhelmed with the amount of notifications they have to address,” said Rich Vibert, CEO and Co-Founder, Metomic. “By triaging critical risks and putting remediation in the hands of employees, we give security teams the most effective, scalable, and modern way to protect their most vulnerable data, without getting in the way of high-value work.” 

In the last 18 months, Metomic’s automated platform has prevented more than two million data leak threats lurking in SaaS ecosystems. Even more astonishing, it has detected hundreds of millions of sensitive data points within SaaS apps and found that 99% of the sensitive data does not need to be there or is accessible to people who shouldn’t have access.

"Businesses adopt SaaS applications at a rapid pace. While SaaS tools increase employees’ productivity and enable collaboration among colleagues and partners, IT security teams have limited visibility and control over sensitive data stored within these apps,” said Yuval Ben-Itzhak, Partner, Evolution Equity Partners. “Metomic gets it. We believe their approach to SaaS data security can fill the gap by helping security teams control sensitive data and remain in compliance with regulations."

"Evolution Equity are great partners for Metomic," added Vibert. "As cybersecurity investors, they not only knew the space, but immediately understood the business value of our technology. We connected on the need to protect information at the data level inside SaaS, one of the fastest growing niches in cybersecurity today."

Currently, Metomic has customers across Europe and North America, with 50% of its customers based in the U.S. It plans to quadruple employee headcount by the end of the year, with its sales and marketing functions headquartered in the U.S. 

**About Metomic:** 

Metomic was born out of the frustration of its leaders trying to implement SaaS applications that make businesses more productive but are off limits because of high-risk security concerns. As a next generation security solution focused on cloud-based applications, Metomic gives security teams clear visibility into their organization’s SaaS network to manage sensitive data and detect security threats, allowing businesses to take full advantage of their SaaS application network. To learn more visit www.metomic.io.

Metomic Raises $20 Million to Protect Sensitive Data in SaaS Applications

Before adopting SaaS apps, companies should set security guardrails to vet new vendors and check security integration for misconfiguration risks.

    

App bar on Zoom

As you may have noticed on your recent Zoom calls, the latest application update quietly added a slick little app-store sidebar to the right-hand side of your session screen. This feature enables any business user within your organization to integrate the software-as-a-service (SaaS) apps showcased in the sidebar with a click of a button — without so much as disrupting their Zoom session.

While seemingly innocuous, this feature highlights the greatest strength and one of the greatest SaaS security risks — the ability for anyone within an organization to adopt, configure, and manage SaaS applications. While this process may be convenient and conducive to fast business enablement, by design it also bypasses any internal security review processes. This leaves your security team with no means of knowing which apps are being adopted and used, whether they may have security vulnerabilities, if they are being used in a secure way, or how to place security guardrails around their use. Enforcing zero-trust security principles becomes almost impossible.

**Shared Responsibility**

But before you chastise your employees for irresponsibly adopting SaaS applications, you need to realize they're being constantly encouraged by vendors to install more apps and adopt new features. Yes, the applications themselves often serve critical business needs, and yes, your employees inherently want to adopt them quickly, without enduring a protracted security review. Yet, they're doing so because — whether they realize it or not — they're being aggressively marketed to by savvy application vendors, who often mislead users into believing they're following security best practices. Just because users are bombarded during installation with consent screens meant to give them pause and encourage them to read about their rights and responsibilities doesn’t mean users are actually reading these screens, or that the consent language is transparent, accurate, or complete.

Beyond touting their application's brilliant new features, these vendors are also constantly telling your business users and security teams their applications are secure, their infrastructure is secure, that 24/7 uptime is 99.999% assured, and they guarantee that their employees won’t have access to user's data, etc. However, they typically downplay or even fail to mention their shared responsibility model of security, where they're only responsible for the security of the platform infrastructure, and that securing usage against account takeovers and data loss are the customer's responsibility.

This is especially problematic as most security breaches are due to SaaS misconfiguration or user error, not code vulnerabilities, and your users are ill-equipped to defend against these risks by themselves. Even large and respectable vendors such as GitHub, HubSpot, LastPass, Mailchimp, Okta, and others that were recently victims of breaches, are susceptible to misconfigurations and misuse. You should always trust, but verify no matter the vendor.

**Never Assume**

In other cases, security is often just assumed. Take application marketplaces operated by well-known brands, for example. Vendors have neither the desire, nor the financial incentive or capacity, to vet the security posture of every third-party application being sold on their marketplaces. Yet to grow the business they can lead users to believe that anything sold there maintains the same level of security that the marketplace vendor does, often by omission. Likewise, marketplace descriptions may be written in such a way as to imply their application was developed in collaboration with or endorsed by a major, secure brand.

The use of application marketplaces creates third-party integrations that carry the same risks as those that led to many of the recent attacks. During the GitHub attack campaign in April 2022, attackers were able to steal and abuse legitimate Heroku and Travis-CI OAuth tokens issued to the well-known vendors. According to GitHub, the attackers were able to leverage the trust and high access granted to reputed vendors to steal data from dozens of GitHub customers and private repositories.

Similarly in December 2022, CircleCI, a vendor specializing in CI/CD and DevOps tools, confirmed some customer data was stolen in a data breach. The trigger to the investigation was a compromised GitHub OAuth token. Based on the investigation by the CircleCI team, the attackers were able to steal a valid session token of a CircleCI engineer, which allowed them to bypass the two-factor authentication protection and gain unauthorized access to production systems. They were then able to steal customer variables, tokens, and keys.

**Lure of Frictionless Adoption**

Vendors also build their platforms and incentive programs to make adoption as easy as agreeing to a free trial, a perpetual free service tier, or swiping a credit card, often with seductive discounts to try and buy without obligation.

It's in the interest of the vendors to get users hooked quickly on any cool, new functionality by removing all friction to adoption, including bypassing IT and security team reviews in the process. The hope is that even if security teams grow wise to the use of an application, it will prove too popular with business users and too critical to business operations to remove it. However, making adoption overly easy can also lead to a proliferation of unused, abandoned, and exposed apps. Once an app is rejected during a proof of concept (PoC), is abandoned due to waning interest, or the app owner leaves the organization, it can often remain active, providing an expanded and unguarded attack surface that places the organization and data at elevated risk.

While it's important to educate your business users on SaaS security best practices, it's even more important to fight indiscriminate SaaS sprawl by teaching them to evaluate more critically the siren song of SaaS vendors about easy deployment and financial incentives.

Further, security teams should also adopt tools that can assist in managing SaaS misconfiguration risks and SaaS-to-SaaS integrations. These tools enable users to continue to adopt SaaS applications as needed while still vetting new vendors and integrations for security and establishing much-needed security guardrails.

Source

DARKReading