**BATAVIA, Ohio, Oct. 28, 2022 /PRNewswire/ --** At Multi-Color Corporation ("MCC") we value our customers and employees and understand the importance of protecting personal information. Unfortunately, we regret to provide this notice that we were the victim of a cyberattack. On September 29, 2022, MCC discovered that a third party had unauthorized access to our information technology environment. In response, MCC immediately deployed security measures to address the threat and retained an external incident response team to accelerate our recovery efforts. We proactively notified the Federal Bureau of Investigation and other domestic and foreign regulatory officials in jurisdictions where MCC has operations, including data protection authorities in the European Union, the United Kingdom, and in Australia.

The MCC files and records that were compromised by this cybersecurity incident included sensitive "HR data," such as personnel files and information on enrollment in our benefits programs. However, based on the measures that we have implemented and the actions we have taken, there is no indication that any personal information subject to this cybersecurity incident has been misused or will be misused in the future.

Out of an abundance of caution, MCC is providing complimentary credit monitoring and identity theft protection services to current and former employees (and their immediate family members) who have been impacted by this incident. If you are a former employee of MCC, or a beneficiary of a MCC benefits program, please contact us to determine your eligibility to enroll in our complimentary credit monitoring and identity theft protection services.

Please note that MCC generally does not retain sensitive personal data on our customers or suppliers, and there is no evidence at this juncture that such personal information was involved in this incident. If you are a customer or supplier of MCC, and you believe we retain your sensitive personal data, please contact us immediately.

We have established a dedicated call center to answer questions you may have about this incident, including on how to enroll in our complimentary credit monitoring and identity theft protection services. For United States residents: contact 888-291-2363, available Monday – Friday, 9:00 am to 9:00 pm EST. For non-United States residents: contact +44(0)330 053 3818, available 24/7. We have also established a dedicated website about this incident that includes a Frequently Asked Question (FAQ) section, and it is available at https://www.mcclabel.com/en/data-security-notice.

Multi-Color Corporation, 4053 Clough Woods Drive, Batavia, OH 45103.

SOURCE Multi-Color Corporation

Notice: Multi-Color Corporation Statement on Data Security Incident

With scant details attached, Google Chrome seeks to shore up yet another exploited zero-day vulnerability.

Google Chrome has issued an urgent fix for an actively exploited zero-day bug in its browser. 

This is the seventh Chrome actively exploited zero-day flaw this year, underscoring how big of a target it has become for cyberattacks. 

As users scramble to patch, Google isn't releasing many details about the vulnerability, tracked under CVE-2022-3723, except to note that it's a type confusion bug in V8, which is Google's open source high-performance JavaScript and WebAssembly engine. Type confusion bugs are can lead to out-of-bounds memory access and arbitrary code execution, according to MITRE.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said in its urgent update. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Urgent: Google Issues Emergency Patch for Chrome Zero-Day

**Atlanta, GA:** As Cybersecurity Awareness Month winds down, Cyversity Atlanta in partnership with CLASS-LLC announces the launch of its first cybersecurity apprenticeship cohort. Registered with the US Department of Labor, this apprenticeship program seeks to advance Diversity, Equity, Inclusion, and Accessibility (DEIA) across cybersecurity occupations, especially for historically underrepresented populations such as women and communities of color through experiential learning as well as formal educational activities.

Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace.

Cyber Leadership and Strategy Solutions (CLASS-LLC) is a cybersecurity service firm. Keyaan J Williams, Founder/Managing Director explains, “This year’s Cybersecurity Awareness Month campaign theme is “See Yourself in Cyber.” This theme is on point with what Cyversity Atlanta and CLASS-LLC are doing with our apprenticeship. We will be the corporate partner that supports the Registered Apprenticeship Program (RAP) that Cyversity manages to increase the participation of minorities and women in the cybersecurity workforce. The apprentices selected in Q4 will start working with CLASS-LLC with us on January 3, 2023.”

“This yearlong, paid experience will place apprentices with CLASS-LLC, working alongside our experienced information security practitioners. In addition, apprentices will take online courses and gain valuable industry certifications to prepare them to succeed as experienced and credentialed cybersecurity professionals,” Williams continues.

Cassandra Dacus, Cyversity Atlanta Chapter President, expounds on the apprenticeship, “As a non-profit organization, Cyversity relies on the generosity and the engagement of those companies and institutions who recognize the importance of our work. Such groups work on the front lines of cybersecurity and thus have keen insights into the dynamics of cybersecurity and the particular value that a diverse and inclusive workforce makes possible. Cyversity’s efforts train a diverse and inclusive workforce making opportunities available to forward-looking companies to fill a multimillion shortfall in the cyber security workforce.”

About CLASS-LLC: CLASS-LLC is a cybersecurity and business services firm. It is not a technology company but aligns with strategic partners to develop comprehensive solutions. CLASS-LLC uses professional certification workshops and custom developed training to develop the cybersecurity capabilities of the entire workforce, from general computer users to senior executives.

About Cyversity: Cyversity works to achieve the consistent representation of women and underrepresented minorities in the cybersecurity industry through programs designed to diversify, educate, and empower. Cyversity tackles the ‘great cyber divide’ with scholarship opportunities, diverse workforce development, innovative outreach, and mentoring programs.

To schedule an interview with Keyaan Williams or Cassandra Dacus, please call Lisabeth Begin, Publicist, at 727-243-6965 or email at \[email protected\] For more information about CLASS-LLC go to https://www.class-llc.com/

Cyber Leadership and Strategy Solutions (CLASS-LLC) and Cyversity Launch a Cybersecurity Apprenticeship Cohort

**SAN FRANCISCO, October 28, 2022** — Nozomi Networks Inc., the leader in OT and IoT security, today announced the SANS 2022 OT/ICS Cybersecurity Report finds ICS cybersecurity threats remain high as adversaries set their sights on control system components. In response, organizations have significantly matured their security postures since last year. In spite of the progress, more than a third (35%) don’t know whether their organizations had been compromised and attacks on engineering workstations doubled in the last 12 months.

> “In the last year, Nozomi Networks researchers and the ICS cybersecurity community have witnessed attacks like Incontroller move beyond traditional targets on enterprise networks, to directly targeting OT,” said Nozomi Networks Co-founder and CPO Andrea Carcano. “While threat actors are honing their ICS skills, the specialized technologies and frameworks for a solid defense are available. The survey found that more organizations are proactively using them. Still, there’s work to be done. We encourage others to take steps now to minimize risk and maximize resilience.”

**ICS Cybersecurity Risks Remain High**

*   62% of respondents rated the risk to their OT environment as high or severe (down slightly from 69.8% in 2021).
*   Ransomware and financially motivated cybercrimes topped the list of threat vectors (39.7%) followed by nation-state sponsored attacks (38.8%). Non-ransomware criminal attacks came in third (cited by 32.1%), followed closely by hardware/software supply chain risks (30.4%).
*   While the number of respondents who said they had experienced a breach in the last 12 months dropped to 10.5% (down from 15% in 2021), 35% of those said the engineering workstation was an initial infection vector (doubling from 18.4% last year).
*   35% did not know whether their organizations had been compromised (down from 48%) and 24% were confident that they hadn’t had an incident, a 2x improvement over the previous year.
*   In general, IT compromises remain the dominant access vector (41%) followed by replication through removable media (37%).

**ICS Cybersecurity Postures are Maturing**

*   66% say their control system security budget increased over the past two years (up from 47% last year).
*   56% say they are now detecting compromises within the first 24 hours of an incident (up from 51% in 2021). The majority (69%) say they move from detection to containment within 6 to 24 hours.
*   87.5% have conducted a security audit of their OT/control systems or networks in the past year (up from 75.9% last year) – one-third (29%) have now implemented a continual assessment program.
*   The overwhelming majority (83%) monitor their OT system security. Of those, 41% used a dedicated OT SOC
*   Organizations are investing in ICS training and certification: 83% of respondents are professional control system certification holders – a significant jump from 54% in the last 12 months.
*   Nearly 80% have roles that emphasize ICS operations up from 50% in 2021.

**To learn more about the latest trends in OT/ICS cybersecurity:**

*   Download: The State of OT/ICS Cybersecurity in 2022 and Beyond

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nozomi Networks-Sponsored SANS Survey Finds Security Defenses are Getting Stronger as Cyber Threats to OT Environments Remain High

Operators of The Real Deal and German Deep Web underground marketplaces are in custody for allegedly dealing in drugs, weapons, malware, and more.

A pair of splashy busts this week, one in the US and the other in Germany, demonstrates that global law enforcement teams are actively pursuing Dark Web forum criminal activity. 

On Oct. 26, the Northern District of Georgia filed charges against Daniel Kaye for his alleged operation of The Real Deal underground marketplace that sold malware, stolen credentials, and even money-laundering services, according to the Department of Justice statement. 

"This case is an example of our persistent determination to work with our international partners to hold criminals accountable no matter how sophisticated their cyber fraud or their geographic location," Keri Farley, Special Agent in Charge of FBI Atlanta, said about the charges. "Let this indictment be a message that the FBI and our partners place a high priority on the investigation and prosecution of hackers who intrude into our infrastructure and threaten the personal security of our citizens."

As if to underscore the point, Bavarian authorities arrested a 22-year-old unnamed student for operating a platform called Germany on the Deep Web that law enforcement said is notorious for selling drugs and more under the motto, "No control, everything allowed." 

Maybe not everything. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Dark Web Forum Busts Come Days Apart

The next generation of cybersecurity pros will need to participate frequently in relevant training to expand their skills and stay engaged.

The shortage of cybersecurity professionals worldwide is a growing concern for organizations of all sizes, as threats mount and attack vectors become more difficult to defend against.

CyberSeek.org counts nearly 770,000 open jobs in cybersecurity, and the data is showing that employer demand for cybersecurity workers is growing 2.4 times faster than the overall rate across the US economy.

To adequately train the next generation of cybersecurity pros, organizations need to start thinking more collaboratively, using virtual technologies as learning tools, and turning to upskilling to offer opportunities to in-house talent.

**Teaching the Why Along With the How**

Some of the changes in training and education approaches are fundamental, argues Andrew Hay, COO at Lares Consulting, an information security consulting firm.

"We often teach people the 'how' but never the 'why' when it comes to cybersecurity training," he says. "For example, we'll show someone how to run a tool to detect a vulnerability, but we won't educate them on why the vulnerability surfaced in the first place."

He says if you don't show people how to prevent vulnerabilities from occurring, you're doomed to keep showing them how to detect them after the fact.

"We have an entire team dedicated to showing our customers how to detect, mitigate, and prevent attacks within their organization," he says. "Not only do we show effect, but we also show cause." Hay says by training people to prevent insecure configurations in the first place, you can help them reduce their attackable surface area.

He adds that cyber-range and capture-the-flag (CTF) events are fantastic learning environments to hone your skills and grow as a cybersecurity professional.

"You'll get to experience how others think about attacking a system, what tools and techniques they use, and their thought process," Hay says. "It's invaluable."

**Playing NICE**

Danielle Santos, manager of communications and operations for NIST'S National Initiative for Cybersecurity Education (NICE), says investing in cybersecurity training and education now is critical to meet this growing demand.

"We are coordinating with government, academic, and industry partners to build on existing successful programs, facilitate change and innovation, and bring leadership and vision to increase the number of skilled cybersecurity professionals," she explains. By facilitating a mechanism whereby the educators, trainers, and employers can come together as a community, they are better positioned to have training that meets the workforce demand.

NICE is also responsible for maintaining the Workforce Framework for Cybersecurity, which describes tasks, knowledge, and skills that are needed to perform cybersecurity work. It provides a standard for training and certification providers to establish knowledge and skill requirements according to tasks in the workplace.

**Smashing Training Silos**

Mika Aalto, co-founder and CEO at Hoxhunt, a Helsinki-based provider of enterprise security awareness solutions, says that the motivation for training today is compliance-driven, not security-driven, which leads to training implementations that can't address human cybersecurity risk.

He argues that organizations should take a risk-based view of the actual attacks employees face and focus on building the right culture and driving the adoption of the correct habits.

"When it comes to the core sins, organizations are running punitive programs that fail to capture employees' hearts and minds," he says.

Making matters worse, training frequency is occasional, and curriculum is built with a one-size-fits-all mentality. "Today's technology allows us to automatically develop and deliver individual training experiences at scale, driving behavior change rather than raising awareness," he says.

From Aalto's perspective, another core sin is that the training often gets siloed. "Awareness professionals are blind to the attacks and metrics managed by security operations," he says. "They lack the cohesive processes and technology to share intelligence and augment detection and response capabilities."

He says that modern teams should work in harmony, with effective training platforms that enable employees to hunt attacks that have infiltrated the organization and integrate that data into operations to mitigate the threats in real time.

"Extending awareness into the center of the security stack is a game-changer in how training is conducted and leveraged," he adds.

**Innovations in Training**

Santos notes that over the past several years, simulated training has shown promise as a mechanism to learn new cybersecurity skills. Training offered through cyber ranges, for example, allows learners to experience simulated real-world scenarios and demonstrate applied knowledge and skills.

"Additionally, apprenticeships, while not new to the broader workforce, but relatively new as they apply to the cybersecurity workforce, is a proven approach to expanding cybersecurity talent," she says.

She highlights the US Departments of Commerce and Labor's recent partnership on a 120-day Cybersecurity Apprenticeship Sprint to promote the Registered Apprenticeship model as a way to develop and train a skilled and diverse cybersecurity workforce.

**Moving to New Training Models**

Kelly Albrink, Bishop Fox practice director for application security, points out that cybersecurity training has historically culminated in a multiple-choice test that relies on memorization.

"With the Internet at our fingertips, memorization is far less important than problem solving," she explains. "So, training should be more focused on hands-on exercises that directly map to what real cybersecurity work looks like."

She mentions her company's Bishop Fox Academy, an internal training program to help people gain both technical skills and soft skills. "Bishop Fox is one of the few companies with actual entry-level roles for junior consultants," Albrink says. "We have a formal mentor program that matches consultants based on their interests and specializations."

She says that in earlier iterations of the mentor program, the company received a lot of feedback from both mentors and mentees that they wanted more structure and guidance on how to get the most out of the program, which led to the creation of a worksheet to help guide initial conversations. It included both "getting to know you" questions to help pairs build an immediate connection, as well as guidance on goal setting.

"We also understand that not every mentor match is the best fit so, 2-3 times a year we give people the opportunity to get a new match or extend their current pairing," she adds. "I typically encourage people to have multiple mentors and receive mentoring on more than one topic."

**The Benefits of Upskilling**

"When you upskill existing cybersecurity, staff you can cut down the learning curve within your organization and often fill gaps faster," Ron Culler, vice president cyber learning officer at CompTIA, explains.

However, it's not just existing cybersecurity staff that should be the focus — he says organizations should be looking across their workforce and at all its IT staff. "Many of these individuals have strong foundational knowledge of the organization," he says. "They can be some of the best candidates to work in cybersecurity, simply because cybersecurity encompasses all aspects of an organization."

Santos agrees that upskilling is an effective approach to filling talent gaps more quickly in an organization. "It utilizes the existing workforce, many of whom have transferrable skills that can be applied to a cybersecurity," she says.

**Cybersecurity Touches All Aspects of an Organization**

CompTIA offers education, training, and certification options for individuals interested in working in cybersecurity and those already in the profession. Four certifications are specific to cybersecurity skills at different career levels — entry, mid, and advanced. Cybersecurity is also embedded in the company's other certifications in networking, data, cloud computing, and other disciplines.

Culler points out that traditional approaches have often focused on individuals with a heavy background in technology.

"While this is still needed, cybersecurity encompasses much more than just tech," he says. "Diverse experiences and skills are needed to fill gaps in cybersecurity roles throughout organizations."

As he puts it, cybersecurity is not a technology issue, but rather something that touches every aspect of an organization.

**Training the Next Generation of Hackers**

From Albrink's perspective, you can't buy enough senior talent to meet the demands of the market. The only viable solution is to train the next generation of hackers.

"In terms of best practices, newcomers often want to learn everything and get overwhelmed," she says. "If they pick two focuses, and those two things synergize well, they'll be much better set up for success."

She adds that learning in a vacuum, like simply reading a book or watching a video, doesn't lead to good results. "I always recommend that you pick a hands-on project to apply what you're trying to learn," she says. "For example, every webapp hacker should build and deploy their own app."

She says that gives you a much better perspective on how difficult it can be to put common defensive recommendations into practice and helps you to better understand the struggles that developers face.

**More Flexibility, More Investment**

Albrink says she's seen a trend of publicly available training moving to a more on-demand subscription-based model. "This gives learners the flexibility to fit their training schedule to their busy lives," she says. "So, instead of trying to knock out a red team lab in 30, 60, or 90 days, they get access for a year."

The downside is the training has become a lot more expensive and out of reach for most people paying for it themselves.

Santos explains the US Department of Commerce supports a workforce development model, to include training, that leans on an employer-driven regional approach. "An employer-driven approach aims to ensure that the supply of cybersecurity talent is job-ready," she says.

Culler agrees it's important to invest in cybersecurity training now because cybersecurity threats aren't going away or lessening. "We need a cyber aware and cyberskilled workforce for organizations to remain competitive and thrive in the current environment and into the future," he says.

From Aalto's perspective, the key word is "invest." He points out that around 90% of breaches contain a human element, almost always initiated by a phishing attack, and yet only 3% of security budgets go to awareness.

"That imbalance tilts the advantage towards the threat actors, whose attacks get more relentless and sophisticated by the day," he says.

In a risk landscape where cybersecurity is increasingly expensive and hard to get, and where regulations tighten all the time, it's up to organizations to take a risk-based approach to protect themselves where they're most vulnerable — their people.

"It works, if your training is done right," Aalto says.

Wanted: Cybersecurity Training That Breaks Down Silos

The threat actor uses commands from legitimate IIS logs to communicate with custom tools in a savvy bid to hide traces of its activity on victim machines.

Hacking group Cranefly is using the new technique of using Internet Information Services (IIS) commands to deliver backdoors to targets and carry out intelligence-gathering campaigns.

Researchers at Symantec have observed a previously undocumented dropper Trojan called Geppei being used to install backdoors (including Danfuan and Regeorg) and other custom tools on SAN arrays, load balancers, and wireless access point (WAP) controllers that may lack appropriate security tools, according to a blog post on Oct. 28.

In examining the activity, the team noticed that Cranefly is using ISS logs to communicate with Geppei.

"The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks, making it novel," Brigid O Gorman, senior intelligence analyst on Symantec’s Threat Hunter team, tells Dark Reading. "It is a clever way for the attacker to send commands to its dropper."

ISS logs record data such as webpages visited and apps used. The Cranefly attackers are sending commands to a compromised Web server by disguising them as Web access requests; IIS logs them as normal traffic, but the dropper can read them as commands, if they contain the strings Wrde, Exco, or Cllo, which don't normally appear in IIS log files.

"These appear to be used for malicious HTTP request parsing by Geppei — the presence of these strings prompts the dropper to carry out activity on a machine," Gorman notes. "It is a very stealthy way for attackers to send these commands."

The commands contain malicious encoded .ashx files, and these files are saved to an arbitrary folder determined by the command parameter and they run as backdoors (i.e., ReGeorg or Danfuan).

Gorman explains that the technique of reading commands from IIS logs could in theory be used to deliver different types of malware if leveraged by threat actors with different goals.

"In this instance, the attackers leveraging it are interested in intelligence gathering and delivering backdoors, but that doesn't mean this technique couldn't be used to deliver other types of threats in the future," she says.

In this case, to date, the Symantec threat team has found evidence of attacks against just a handful of victims.

"That is not unusual for groups focused on espionage, as these attacks tend to be focused on a small number of selected victims," Gorman explains.

**Cranefly: A Threat of Reasonable Sophistication**

Gorman explains that the development of custom malware and new techniques requires a certain level of skills and resources that not all threat actors have.

"It implies that those behind Cranefly have a certain level of skills that makes them capable of carrying out stealthy and innovative cyberattacks," she says, noting the gang also takes steps to cover up its activity on victim machines.

The dropped malicious backdoors are removed from victim machines if the Wrde command is called with a specific option ("r").

"A step like that displays quite a high level of operational security by the group," she adds.

**Deploying an In-Depth Defense Strategy**

Gorman says that the typical rules apply to defending against Cranefly as they do when it comes to most types of cyberattacks: Organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain.

"Organizations should also be aware of and monitor the use of dual-use tools inside their network," she says, noting that Symantec would also advise implementing proper audit and control of administrative account usage.

"We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network," she says. "Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

Cranefly Cyberspy Group Spawns Unique ISS Technique

Embedding security throughout your company has greater organizational impact and myriad benefits.

As cybersecurity has become an increasingly important consideration in corporate decision-making, there's been a corresponding move to elevate the role of the chief information security officer (CISO) to a higher point in the executive hierarchy. The reasoning seems to be, "If cyber is important, CISOs must be important." However, elevating the role sets the CISO up to be a lone voice in the desert crying "security," with little connection to the day-to-day decision-makers in IT, engineering, or products.

This has led to some undesirable consequences, like the Facebook exec who thought it was OK that the company's security measures caused hours-long delays in responding to its Oct. 4, 2021, outage, or the Uber exec who paid off hackers who breached his system, rather than acknowledge the breach, or the numerous CISOs who have invested in "additional layers of security" rather than admit they made poor selections initially. In all of these cases, the CISO's isolation from functional business units undoubtedly played a role in the tunnel thinking these decisions reflect.

**Organizational Impact**

Perhaps it's time to reimagine the role of the CISO. Maybe it's better to see the CISO's importance reflected in organizational impact rather than organizational status. Perhaps embedding security in functional units will result in better security.

Imagine the CISO as a part of the IT organization ecosystem. They would be involved in every decision about the infrastructure, and security concerns would be integral to those decisions rather than tacked on after the fact. This would allow for a set of "security" solutions based on how the network is structured and managed, rather than on special security capabilities inserted into the infrastructure by an outside group.

Imagine a security expert embedded in the software development organization. They would be able to refine the development process to make sure code is written and tested with an eye to security, without saddling the developers with processes that are alien to them, thereby reducing the vulnerabilities in the company's code. Imagine a security expert embedded in product lines. They would be able to make sure the corporate infrastructure protects their IP and that their development process reduces the vulnerabilities in their product.

In all these cases, security becomes a factor in corporate decisions grounded in the reality of corporate operations. The technical expertise of the CISO becomes integral to day-to-day work rather than a constraint imposed upon it. Similarly, security and compliance need to work seamlessly so that financial systems and communications with partners and vendors remain secure. This extends to telecom systems and other hardware.

**The Risk Factor**

This seems like a more impactful way to make the technical dimension of security a powerful voice in company execution. However, one may wonder if this will diminish the policy dimension, balkanizing it to address the special interests of individual functional units. This concern can be addressed by expanding the role of the chief risk officer to include the security policy functions currently carried out by the CISO. 

This has the benefit of keeping security policy at the C-level, where it gets the attention it needs. It has the further benefit of having cybersecurity risk considered in the context of other risks (risk to availability, risk to reputation, to address the cases above). Security would no longer be an end in itself, but a dimension of doing business. This doesn't mean security needs to battle it out with other concerns and make accommodations that compromise the security posture of the organization. Rather, it sets up an environment that trades the either/or mentality for one that seeks to satisfy all requirements.

There are numerous access control technologies that would have protected Facebook effectively without locking out its own personnel. When the security risk is considered along with the availability risk, those more pragmatic solutions would emerge.

Reimagining the Role of the CISO

New technologies designed into processors allow enterprises to leverage cloud advantages while meeting privacy regulations.

Data security in the public cloud has been a concern since the computing medium emerged in the mid-2000s, but cloud providers are allaying fears of theft with a new concept: confidential computing.

Confidential computing involves creating an isolated vault on hardware — also called a trusted execution environment — in which encrypted code is protected and stored. The code is accessible only to applications with the right keys, which are usually a combination of numbers, to unlock and then decrypt it. A process called attestation verifies all is correct, minimizing the chances of unauthorized parties stealing or pilfering the data.

Confidential computing offers the "ultimate in data protection," said Mark Russinovich, chief technology officer at Microsoft Azure, during a streamed session at the company's Ignite conference in October.

"Because it is inside the enclave, protected by hardware, nothing outside can see that data or tamper with it," he said. "That includes people with physical access to the server, the server administrator, the hypervisor, and the administrator of an application."

Confidential computing allows companies to migrate workloads that rely heavily on data privacy and security to the cloud, analysts say. Companies in highly regulated industries like healthcare and finance can move to cloud services while maintaining their security posture.

**Spying the Holes in the Clouds**

Since its early days, the utilitarian appeal of cloud computing, in terms of pricing and flexibility, largely drowned security concerns. The most vocal criticism of cloud computing was the prospect of privacy being impossible to ensure because guest workloads could not be completely isolated from the host system, says James Sanders, principal analyst for cloud, infrastructure, and quantum computing at technology research firm CCS Insight.

"However, the disclosure of the Spectre and Meltdown vulnerabilities in 2018 demonstrated the potential for a malicious cloud tenant to exfiltrate data from the workloads of other processes on the same host system," Sanders says.

The vulnerabilities exposed to hackers confidential information leaving secure enclaves. The twin attacks also pushed along the wider idea of confidential computing, in which encrypted code was accessible to only authorized parties but would not leave isolated enclaves.

Confidential computing prevents bad guys from breaking into servers and stealing secrets, says Steve Leibson, principal analyst at Tirias Research.

"The state-sponsored \[attacks\] are the most difficult and the most sophisticated," he says. "So at this point you really have to think about protecting data in use, in motion, and stored. It must be encrypted in all three situations."

**Grounding Confidential Computing in Silicon**

Confidential computing is changing the way hardware makers and cloud providers think about applications on virtual machines and not directly on processors, Leibson says.

"When we ran on processors, we didn't need attestation because nobody was going to alter a Xeon," he says. "But a virtual machine — that's just software. You can alter it. Attestation is trying to provide the same sort of rigidity to software machines as silicon does for hardware processors."

Chip makers have since taken a security-first approach in chip design, and it has trickled down to cloud offerings. Last month Google, Nvidia, Microsoft, and AMD jointly announced a specification called Caliptra to establish a secure layer on chips where the data can be protected and trusted. The specification protects the boot sector, provides attestation layers, and safeguards against conventional hardware hacking, such as glitching and side-channel attacks. Caliptra is managed by the Open Compute Project and Linux Foundation.

"We are looking ahead to future innovations in confidential computing and varied use cases that require chip-level attestation at the level of a package or system on a chip (SoC)" with Caliptra, wrote Parthasarathy Ranganathan, vice president and technical fellow at Google, in a blog entry posted during the Google Cloud Next event that took place in mid-October.

Google already has its own confidential computing technology called OpenTitan, which is mainly focused on protecting the boot sector.

Microsoft's previous efforts at confidential computing relied on partial enclaves rather than protecting the entire host system, CCS Insight's Sanders says. However, this month the company announced Azure virtual machines with confidential computing based on technology baked into Epyc, a server processor from AMD. AMD's SNP-SEV encrypts data when it is loaded into a CPU or GPU, which protects data while being processed.

**Clearing the Way to Real-World Compliance**

For enterprises, confidential computing offers an ability to secure data in the public cloud as required by regulations like Europe's General Data Protection Regulation and the United States' Health Insurance Portability and Accountability Act, analysts say.

"Availability of administrator-proof encryption in the cloud undercuts one of the longest-serving anti-cloud talking points, since shielding workloads from the cloud platform operator effectively eliminates the largest remaining source of risk preventing adoption of public cloud," Sanders says.

The AMD technology appeared in general-purpose virtual machines earlier this year, but the announcements at Ignite extends the technology to Azure Kubernetes Service, which provides additional security for cloud-native workloads. The AMD technology on Azure is also designed for use in bring-your-own-device workplaces, remote work, and graphics-intensive applications.

Cloud Providers Throw Their Weight Behind Confidential Computing

Apple engineers share technical details about the team's work on memory safety features on the new Apple Security Research site.

Apple's work on hardening the memory allocator has made it harder for attackers to exploit certain classes of software vulnerabilities on iOS and Mac devices, the company's security engineers wrote on a new website Apple launched to share technical details behind iOS and MacOS security technologies.

The new initiative, Apple Security Research, also offers tools to help security researchers report issues to Apple, get real-time status updates for submitted reports, communicate securely with Apple engineers investigating the issue, and provides information about the Apple Security Bounty program. The intent behind the new security hub is to share with the research community how Apple engineers approach security challenges, and also to invite researcher contributions and feedback.

Memory safety is a key area of focus, especially since memory safety violations are the most widely exploited class of software vulnerabilities. On Apple platforms, improving memory safety includes "finding and fixing vulnerabilities, developing with safe languages, and deploying mitigations at scale," the engineers wrote in a technical post on XNU memory safety.

XNU is the kernel at the core of iPhones, iPads, and Macs.

Much of the code running on the iPhone, iPad, and Mac were written using "memory-unsafe" programming languages, which means they don’t prevent memory safety violations and developers can inadvertently and unknowingly violate memory safety rules while writing code, the researchers wrote. Those issues can be exploited by attackers to crash software, execute unauthorized command, and harvest sensitive information.

It is infeasible to rewrite large amounts of existing code using memory-safe languages, so "improving memory safety is an important objective for engineering teams across the industry,” the engineers wrote.

Apple laid the groundwork for the hardened memory allocator _kalloc\_type_ back in iOS 14 when it introduced _kheaps_, the data split, and virtual memory sequestering. Apple added randomized bucketed type isolation to the zone allocator when it introduced _kalloc\_type_ in iOS 15. With the release of iOS 16 and macOS Ventura, the hardened allocator is now available on all the systems using the XNU kernel.

"Our fundamental strategy is to design an allocator that makes exploiting most memory corruption vulnerabilities inherently unreliable," the researchers wrote. "This limits the impact of many memory safety bugs even before we learn about them, which improves security for all users."

In Apple's update on its bounty program, the company said it has awarded close to $20 million to security researchers over the past two-and-a-half years since the program was launched. While average payouts are around $40,000 in the product category, the company has paid 20 separate rewards over $100,000 for high-impact issues. Evaluation criteria researchers need to meet in order to collect bounties are available on Apple Security Research.

Source

DARKReading