They may be environmentally friendly, but the surging popularity of electric cars and plug-in hybrids puts the nation's electrical grid at greater risk for malfeasance.

Is the US electrical grid — a 70-year-old behemoth — equipped to handle the load of nearly 607,000 new electric vehicles (EVs) on the roads? As a security guy working in critical national infrastructure (CNI), I wonder. I know the threats facing the US power grid and see it struggling against an already strained capacity. So let's "strength test" this load, see if the grid can handle all those EVs, and discuss what can be done if not. As the one CNI sector that singlehandedly underpins nearly all the others, it matters. 

According to BloombergNEF, there will be nearly 1 million new EVs per month — or one about every three seconds. In the UK, 17% plan to buy an electric vehicle in the next year and nearly 70% would do so if money were no object. It's no surprise, therefore, that BloombergNEF predicts more than 26 million EVs on the road by the end of 2026. An insurance consultancy estimates there will be roughly 4 million in California alone by 2030, and a report by BloombergNEF predicts that by 2040, nearly 60% of global passenger vehicle sales will be electric. From a purely emissions-based standpoint, it's almost too good to be true. But what are the consequences?

**Too Big for the Grid**

The grid also faces the challenge of supporting a fast-growing fleet of EVs and plug-in hybrids (PHEVs) that may overextend its current capacity.

The current grid is something of a marvel, made up of 9,200 generating units, 600,000 miles of transmission lines, and more than 1 million megawatts of generating capacity. However, it was built when the current electrical needs of a household were a few lightbulbs and a toaster back in the '60s. Now, think about an average Thursday night — your kids are home, there are TVs going in every room, you're running a load of wash, nobody remembered to turn the lights off in the bathroom (of course), someone's gaming, someone's streaming, someone's microwaving something, your toddler is talking to Alexa, and you're charging your Tesla. Now add 26 million more Teslas and you see the problem.

Plus, the current grid is built to give, not receive, energy. This becomes an issue with new sustainable sources of energy putting energy back into the system — like wind turbines, solar panels, and (yes) electric vehicles. We're forcing the current grid far beyond its intended use; to do any more, some suggest switching to a smart grid, which unlike the current infrastructure can give _and_ receive power, and its capacity will be much larger than what we have now. Large loads — like EV charging stations, heating and cooling systems, and football stadiums — can crash the grid, bringing the kind of instability we're trying to avoid and generally being bad for business.

Adopting a transactive method like the above can help offset the overall impact of electric vehicles on the power grid and keep things running smoothly. If done right, it will be more energy-efficient, able to load balance, and more stable. If we're to face a future where nearly 60% of all cars will require a charging station, a new grid, or focused improvements to the one we have, it's not only nice but needed.

**Securing the Grid Against EVs**

Besides overload, the biggest challenge EVs bring to the grid is security. They're huge Internet of Things devices with wheels, and the liability couldn't be higher. As of now, the IoT still represents a not-so-distant past where technology would fly off the line with minimal (if any) security controls. Yes, there are laws now, but with cloud connectivity, remote access, and various app integrations that may or may not have the same standards of security, risks are still around. As it stands, Bluetooth hacks can unlock car doors and charging stations are being held for ransom.

And according to Yury Dvorkin, an electrical and computer engineering expert at New York University, charging stations can be entry points for cyberattacks directed at the American energy grid. All it takes is one weak point in the giant, interconnected network of an electric vehicle and soon a hacker can have access to the US energy supply.

As Lear Corp.'s Andre Weimerskirch has pointed out, "An electric vehicle has far more hardware chips and software components than an internal combustion engine. More complexity means we need to be more careful around security in general."

My suggestion to energy providers would be to not wait — shore up your cybersecurity posture against a time when less-than-secure EVs hit the market. I imagine it will be like a second IoT wave (quite literally): hastily added devices released with only secondary thought to security and the onus falling primarily on the user. If you're going to allow EVs — and all the connectivity, technology, and vulnerabilities they bring — anywhere near your power utility, learn the risks and build your cybersecurity strategy around government standards for the energy industry.

How to Keep EVs From Taking Down the Electrical Grid

The unsecured server exposed more than 1.5 million files, including airport worker ID photos and other PII, highlighting the ongoing cloud-security challenges worldwide.

A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector.

The exposed information, uncovered by Skyhigh Security, includes employee personal identification information (PII) and other sensitive company data affecting at least four airports in Colombia and Peru.

The PII ranged from photos of airline employees and national ID cards — which could present a serious threat if leveraged by terrorist groups or criminal organizations — to information about planes, fuel lines, and GPS map coordinates.

The bucket (now secured) contained information dating back to 2018, the report says, noting Android mobile apps also were contained within buckets, which security personnel tap to help with incident reporting and data handling.

"Airport security protects the lives of travelers and airport staff," the report explains. "As such, this breach is extremely dangerous with potentially devastating consequences should the bucket’s content end up in the wrong hands."  

As travel picks up dramatically following restrictions during the pandemic, Fortune Business Insights found that the global smart airport market size is set to be driven by the rising preference of the masses for air travel. The report also says that the expansion of commercial aviation is set to affect the market positively in the coming years, as airports increasingly turn to cloud service providers to house and process massive amounts of passenger and operational data.

Perhaps it's no wonder that travel-related organizations have been increasingly targeted of late. For instance, airlines have been the target of ransomware this year, including India's low-cost carrier SpiceJet, which weathered an attack in May that caused widespread flight delays. 

At the same time, multiple cybercrime groups have been spotted selling stolen credentials and other sensitive PII pilfered from travel-related websites and cloud databases, according to security firm Intel 471's tracking.

**Cloud Security Still Porous**

Back in 2019, Gartner stated that "90% of organizations that fail to control public cloud use will inappropriately share sensitive data." And that worry continues today: A recent IDC survey of CISOs in the US found that 80% of respondents are not able to identify excessive access to sensitive data in cloud production environments.

"Unfortunately, news headlines like these highlight examples of a data breach due to a simple, but harmful misconfiguration: an unsecured, exposed cloud storage service," according to Skyhigh's analysis. "Complexities around identity management, access permissions, secure configurations, data protection, and so much more, continuously result in poor cloud security hygiene and ultimately, data exposures."

And indeed, there has been no shortage of cloud security incidents recently — with misconfigurations leading the way. Cybercrime goals in subverting open databases can go beyond data pilfering, it should be noted, as shown by the recent discovery of Denonia, a Go-language-based cryptominer malware. It's designed to exploit AWS Lambda, the serverless function execution service.

Also, vulnerabilities in cloud products and services have become a growing concern for organizations, with a Linux container-escape flaw in Microsoft's Azure Service Fabric among the latest vulnerabilities disclosed.

The good news? One potential cloud security resource was recently established by security researchers at Wiz in the form of a community-based database — cloudvulndb.org — which currently lists some 70 cloud security issues and vulnerabilities.

**How to Protect Against Cloud Threats**

A recent survey of 500 security practitioners and 200 executives, conducted by cloud automation firm Lacework, indicated organizations must change the way they're securing cloud infrastructure and services.

Skyhigh’s report notes increasing read/write privileges are often the go-to for further strengthening cloud security. However, "in reality it will take far more than that; thanks to the extensive manners by which cloud storages can be accessed and misused," the report states.

So, other measures that the firm said should be implemented include: 

*   Enable automatic scanning for vulnerable storage across AWS S3 buckets and Azure Blobs.
*   Use continuous configuration audits for IaaS accounts and services to enforce consistent protection.
*   Enforce compliance checks against industry best practices to maintain secure postures.
*   Run data loss prevention and malware scans to detect violations in cloud-storage services and protect sensitive data from being exfiltrated.
*   Put measures in place to detect insider threats as well as threats from compromised accounts and privileged-access misuse.
*   And apply automatic remediation to take appropriate action against misconfigurations, vulnerabilities, and exposures.

Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: 'Lives at Stake'

New research says IAM spending will grow on the back of affordable subscription services, spurred by cloud and mobile adoption, IoT, and continued remote working.

A study out this week shows that global spending on identity and access management (IAM) solutions is on pace to rise by 62% over the next five years. A big chunk of that growth will be built on the back of subscription services, which analysts say are quickly accelerating to be the dominant model of purchasing IAM solutions — they're expected to make up the vast majority of the IAM market by 2027.

Published by Juniper Research, the study today reports that IAM spending will rise from an expected $16 billion this year to $26 billion in 2027. The firm’s analysis found that small businesses are spurring a lot of this growth. Until relatively recently, everyone but the largest enterprise organizations were shut out of many parts of the IAM market because the comprehensive suites were expensive and difficult to deploy. 

As SaaS and cloud subscription services have proliferated in the space, smaller firms increasingly have found IAM within their reach, and this study says to expect this trend to snowball. Whereas the subscription model makes up 60% of the market now, in five years the researchers forecast it will make up 94% of all IAM spending.

**IAM Spurred by Modern Realities**

Meanwhile, other, broader IT trends such as the explosion in cloud computing, bring-your-own-device (BYOD) policies, mobile computing, Internet of Things (IoT), and more geographically dispersed workers are all spurring greater IAM services spending to solve an acute need for saner access control.

"There are more devices and services to be managed than ever before, with different requirements for associated access privileges," according to Juniper's analysts. "With so much more to keep track of, as employees migrate through different roles in an organization, it becomes increasingly difficult to manage identity and access."

According to Naresh Persaud, managing director in cyber-identity services for Deloitte Risk & Financial Advisory, the market has been especially jumpstarted in the last 12 to 18 months as organizations work to accommodate a broader range and larger scale of remote-work situations.

"During the past year or so, demand for IAM has increased considerably, driven by the need to support work from home or hybrid in-office structures demanding remote access," Persaud says. "And, increasingly, more end users are engaging with organizations virtually. As such, we're seeing a real increase in organizations that want to leverage identity access management as a channel through which they can build customer relationships digitally."  

This trend is especially driving cloud-based IAM, says Sushil Madhukar, chief principal at consultancy TechDemocracy.

"Companies are looking to adopt cloud-based solutions that can support and manage security and risk management, scale and manage remote working, and bring visibility to distributed identity management," Madhukar says. "The future of IAM will continue down this remote working path, but with an even bigger emphasis on ease of use and digital identities. Passwordless authentication and SaaS-based and -driven identity solutions will become a key focus in the near future."

**Subscriptions to the Fore**

According to Persuad, many organizations of all sizes still struggle to stitch together all the various IAM subscription services (or legacy on-premises ones, for that matter), which means that the next big challenge for firms will be in putting together the right talent to manage the entire IAM portfolio. This will likely spur further spending, and for resource-constrained organizations will likely drive them to embrace managed services specifically with IAM expertise to handle the talent gap.

"Many organizations are working to rationalize applications and modernize or replace parts of their IAM tech stacks — or, if those stacks are functioning well, scale solutions to cover broader footprints of their apps with IAM for better workforce experience and data protection," Persaud says. "As IAM program sophistication advances, so do the needs for talent to run and operate those programs. The result: IAM talent has become even more scarce than it already was. Leveraging more advanced technologies and solutions and managed services are just a few of the approaches organizations can consider to help contend with that talent gap."

Identity Access Management Is Set for Exploding Growth, Big Changes — Report

Organizations must balance the risk and reward of new cyber-asset management technologies.

The recent upheaval in the supply chain is unprecedented, thanks to ongoing disruptions tied to the pandemic, financial and trade sanctions stemming from Russia's war in Ukraine, cyberattacks targeting the supply chain, and other factors. To become more resilient in the face of these disruptions, many companies are turning to aggressive modernization efforts, rushing to use every available technology tool while attempting to minimize the risks that come with the use of the tools. In this article, we'll explore how better cyber-asset management is the key to striking the optimal balance.

**Benefits­ and Risks of Adding New Technologies for Supply Chain Modernization**

Supply chain challenges are likely to endure for the foreseeable future, with experts predicting supply chain disruptions to continue well beyond 2022. As companies try to adjust to this new normal of disruption and become more resilient, supply chain modernization is increasingly a target for enterprise investment and capital infusions to fund technology innovation.

The priority is to modernize across the whole service value chain — including one's own operations and externally among the many vendors and partners involved in the supply chain. Technology modernization initiatives and enhanced connectivity across these extended supply chain ecosystems can enhance resilient operations in multiple ways.

Key focus areas for modernization include AIOps for production automation and auto resolution of issues; digital thread for enhanced visibility, traceability, and digital twin modeling across supply chain networks; and smart contracts in private blockchain networks for agility in adjusting partner arrangements and contracting agreements with a minimum of red tape.

Yet, for all their benefits, such capabilities come with risks, including new vulnerabilities that may be introduced across the broader attack surfaces that result from these implementations and the added connectivity that goes with them. To mitigate these risks, supply chain managers need visibility and control around cyber assets, ideally in the form of a comprehensive cyber-asset management strategy.

**How to Plan and Implement Cyber-Asset Management Strategies**

A strong cyber-asset management program can greatly strengthen the environment in which new technologies are operating. When correctly implemented, such a strategy can support maximum security, efficiency, and interoperability across the entire supply chain. The more complete picture an organization can get across its entire spectrum of assets — including their characteristics, behaviors, and interdependencies — the better orchestration and fewer surprises companies will have with their supply chains.

A good cyber-asset management strategy will facilitate data standardization, automation across platforms, traceability, and other modernization must-haves to deliver a more unified view of assets and dependencies. The ultimate goal of this strategy is to ensure the enterprise reaps the benefits of new technologies for supply chain resilience while minimizing any drawbacks.

For example, a company may look to embrace smart contracts via blockchain technology but do so on a private blockchain versus a public blockchain. This helps ensure that the organization gets the benefits of blockchain's distributed ledger paradigm without risks such as vulnerability to possible snooping into contract details for clues about product schedules, company IP, or other proprietary information.

For this and any other supply chain modernization use case involving new technology, the cyber-asset management strategy must encompass the entire spectrum of OT and IT assets — including the IT teams' hardware, networking, and connectivity, together with OT-related machine data and machine software.

Throughout, remember to ensure high standards across your entire extended network of partners and suppliers. This is where certifications and accreditations like ISO, CMMI, SOC2 can be particularly useful in evaluating the reliability of supply chain partners. Having strong compliance and cyber-asset management standards in place across partner networks is particularly critical in certain specialized supply chain environments — such as pharmaceutical cold chain, in which $35 billion is lost annually from failures in temperature control logistics.

**Conclusion**

New technologies can help modernize supply chains to adapt, but only if they're configured correctly and securely. Cyber-asset management is the way to separate the promise from the pitfalls in leveraging new technologies for supply chain modernization and resilience.

The Cyber-Asset Management Playbook for Supply Chain Modernization

Our roundtable of cybersecurity experts weighs in on what makes QNAP network-attached storage catnip for attackers, and what organizations can do about it.

QNAP has had a rough run of it lately on the cybersecurity front, with cybercrime groups continually targeting known vulnerabilities in its network-attached storage (NAS) devices and serious vulnerabilities coming to light several times already in 2022.

QNAP offerings and other NAS options provide centralized, shared file storage that can be accessed by multiple users and client devices on a local area network (LAN). They also offer a popular alternative to cloud backups and storage for smaller companies — and tend to house treasure troves of data.

According to Shodan, there are almost 300,000 QNAP devices directly connected to the Internet. And — to put it simply — attackers appreciate the large population.

Given this, attackers see NAS customers as a golden opportunity, according to a Dark Reading roundtable of security professionals, as evidenced by a bonanza of recent QNAP-related cyberattack activity.

**Unpatched QNAP Customers Face Ongoing Cyberattack Frenzy**

The multilevel-extortion threat known as the Deadbolt ransomware, in particular, is beating up on QNAP customers. Just last month, for example, the company flagged a new Deadbolt campaign going after its hardware — the second spate of such attacks in the past few weeks.

Other cybercrime groups are also taking aim at vulnerable devices: Earlier this year, QNAP was targeted by a wave of attacks using a new ransomware strain called eCh0raix.

Ransomware gangs are usually looking to exploit known bugs, such as critical flaws disclosed in April in Netatalk that affect QNAP and Synology firmware (CVE-2022-0194; CVE-2022-23122; CVE-2022-23125). These, which remain unpatched on certain NAS devices, allow remote code execution (RCE).

Another exploitable (but patched) flaw is a cross-site request forgery (CSRF) vulnerability (CVE-2021-34360) disclosed earlier this year in QNAP NAS devices running Proxy Server, which allows remote code injection.

It's worth noting that more sophisticated threats have options to pivot deeper into the network at patch-avoiding organizations as well: In March, the Taiwan-based QNAP said that its devices contained the severe Linux kernel vulnerability known as "Dirty Pipe," which is a privilege-escalation flaw that was deemed serious enough to warrant an alert from the US Cybersecurity and Infrastructure Security Agency (CISA). Of course, QNAP isn't alone in being vulnerable to that particular bug, but it contributes to the gear's attractiveness as a target.

In all, CISA has at least 10 QNAP vulnerabilities listed as being actively exploited by adversaries in its Known Exploited Vulnerability (KEV) Catalog.

Dark Reading spoke to a slate of security researchers about why QNAP devices are in the crosshairs of so much cyber-activity, and what companies can do about it.

**Why Is QNAP Getting Targeted?**

QNAP devices are attractive to cybercriminals for a number of reasons, including the fact that QNAP storage appliances are most often utilized by small to midsize (SMBs) businesses with very small (or non-existent) IT and security teams. This often translates to a lack of manpower for installing patches, among other downsides — creating large pools of devices that are ripe for exploitation.

"Storage devices that can be a core piece of an organization's operations that are easy to exploit create a perfect storm for ransomware gangs looking to ensure a quick payout to their extortion demands," says Chris Clements, vice president of solutions architecture at Cerberus Sentinel.

Also, the main mission attackers take on when exploiting vulnerabilities is, most often than not, data gathering. Historically, NAS products have been used by companies who prefer to take the route of an on-premises storage with a need for heavy use and storage capabilities, rather than a third-party handover of sensitive data, according to Brad Hong, customer success lead at Horizon3.ai.

"Since QNAP-branded NAS are quite literally a lateral extension of the organization's brain, even sometimes serving as the sole disaster-recovery storage, and make up about 54% of the NAS market share, it's only natural that its OS is a prime target for attackers," says Hong. "Imagine being able to circumvent all the strenuous steps of the cyber kill chain across every single enterprise, and instead using one key that fits more than half of the industry — effectively, it becomes a single vulnerability that negates all relevant cyber-stacks."

**NAS Appliances a Dangerous Attack Vector — But Patching Lags**

The risks to businesses from a successful compromise are myriad, researchers note, especially since by their very nature NAS appliances are often the primary data storage medium or are responsible for housing backups. Thus, successfully encrypting a storage appliance with ransomware can mean that the victim loses not only data, but also the source of backups and thus the ability to recover.

"The successful exploitation of a QNAP device, which often serves simultaneously as the heart and backbone of an organization, is akin to walking right into a HQ and swiping all its data," Horizon3.ai's Hong explains.

Roger Grimes, data-driven defense evangelist at KnowBe4, notes that a compromise not only means that the attacker has immediate access to data, but that the threat actor can use the initial exploitation to gain further access to the victim's logon credentials and broader network environment. Thus, he says, using security fundamentals should be a must-do.

"Basically, if defenders use strong log-on credentials, keep it patched, and follow the vendor's configuration recommendations, it can be as secure as any other cyber-product," he notes. "But according to CISA's KEV reporting, only three of the 10 reported exploited vulnerabilities have occurred since 2020. Most of the exploits are from things fixed by the vendor and patched years ago."

Cerberus Sentinel's Clements points out that appliances in general can also often lag significantly behind patching cadences of desktop or server systems, because most vendors lack a centralized mechanism for scheduling and deploying fixes for serious security flaws.

"Patches need to be manually applied by administrators," he says. "And patching storage appliances can also be disruptive not only because they require reboots, during which time important data can be inaccessible to a business, but often security patches are distributed by appliance vendors as part of larger firmware updates that can alter or even remove existing functionality that an organization may depend on."

But KnowBe4's Grimes notes that a simple administrative change could help the issue.

"Most of today's QNAP devices have an automatic patching feature, but it won't automatically apply the patch and reboot without the admin's consent," he explains. "Patching and rebooting takes time and causes operational interruption to the data on the device. So, they have to ask for approval. It would benefit QNAP and really every device in the world if the vendor was allowed to patch and reboot without permission."

QNAP customers would need to accept that patching is going to happen and expect small amounts of operational interruption during the patching process, he adds, pointing out that they could even control when the automatic patching happens.

**What is QNAP's Responsibility for Customer Security?**

While customers bear responsibility for their own patching, what about QNAP's rash of security bugs (and spotty track record in patching them quickly)?

"Of course, QNAP can help by doing better, more secure coding," Grimes says. "Many of the announced vulnerabilities have been because QNAP didn't do secure development lifecycle (SDL) coding and simple security reviews. Many of the flaws over the last few years are so basic that it just shows you that QNAP wasn't concentrating enough on making sure they had less vulnerable code."

Horizon3.ai's Hong highlighted the vendor’s own history of being slow to patch disclosed vulnerabilities.

"There's a larger conversation to be had here about legislation that should be passed to ensure vendors are doing their part to protect security, not just market share," he says. "One notorious example goes back in 2020 when an unauthenticated RCE and arbitrary file write exploit took more than seven months to be patched and, even then, only came after its four month disclosure grace-period expired and the exploit was finally made public."

Mike Parkin, senior technical engineer at Vulcan Cyber, has a different take, though.

"It's hard to say whether QNAP has just suffered a run of bad luck with exposed vulnerabilities or there is as actual issue keeping the systems secure, though I lean towards bad luck," he says. "Hopefully, updates from QNAP will make the devices more secure and the user community will take notice and review their own deployments to make sure they were done securely."

QNAP did not respond to a request for comment for this article.

**How Can Companies Protect Themselves Against QNAP Attacks?**

When it comes to best practices for defense, the basics are the place to start, researchers said, including regular patching as explained above. But other measures are important too, like keeping appliances off the Internet and using strong, unique log-on credentials.

"Generally, organizations should minimize their public attack surface," says Jake Williams, executive director of cyber-threat intelligence at Scythe. "Many vulnerabilities in networking gear and other appliances are only exploitable when the administrative interface is exposed to the Internet (something almost universally discouraged by device vendors)."

If they must be accessible via the Internet, appliances should be behind other security measures, according to Satnam Narang, senior staff research engineer at Tenable. "Ideally, you don't want to expose your NAS devices publicly, so keep them behind a router and a firewall and utilize (if available) built-in VPN functionality for remote access," he says.

Another issue that's fixable is the use of Universal Plug and Play (UPnP), which is a network protocol that allows devices to automatically set port-forwarding rules for themselves, meaning these devices are directly accessible from the Internet, sometimes without user knowledge.

"UPnP is used for a variety of purposes, including gaming and streaming content, with the protocol allowing convenience of quickly connecting devices to a network, but at a security cost," says Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows. "QNAP has clarified that in the wake of attacks targeting their NAS devices, UPnP should be disabled. Port forwarding, which also assists users in direct communication requests, should also be disabled."

Beyond the simple steps, researchers also note that technology approaches are also available, such as encryption for data.

"All organizations should invest in encrypting their sensitive data at rest, and preferably with unique encryption keys per file or object," says Scott Bledsoe, CEO at Theon Technology. "With granular encryption of data at rest, the compromise of a single encryption key will only result in a single item of information from being disclosed, and will prevent large-scale disclosure of sensitive information."

And finally, Ryan McCurdy, vice president of marketing at Bolster, explains that people-based or legacy approaches are nearly impossible to scale with the massive volume of data on the Web, all of which could be a conduit for an attack on NAS devices.

"Throwing bodies and point solutions at this problem no longer works," he says. "In order to scale, it's critical that companies take a platform approach and leverage automation to detect, analyze, and take down fraudulent sites and content across the Web, social media, app stores, marketplaces, and the Dark Web."

Roundtable: Amid Cyberattack Frenzy, How Can QNAP Customers Protect the Business?

The US Department of Commerce's National Institute of Standards and Technology (NIST) announced the first group of encryption tools that will become part of its post-quantum cryptographic standard.

At long last, the National Institute of Standards and Technology has announced the first four quantum-resistant algorithms that will become part of the post-quantum-cryptographic standard. The chosen algorithms are CRYSTALS-Kyber for general encryption to access secure websites and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.

The post-quantum cryptographic standard, expected to be finalized in about two years, will help enterprises prepare their environments for that time when quantum computers would be powerful — and readily available — enough that they would be able to break present-day encryption. Researchers estimate that post-quantum threats could be reality as soon as 2030.

Attackers are also harvesting and hoarding sensitive information with the expectation that they can crack it later when quantum computing methods become available.

"Since the standardization project began in 2016, there's been a shift in attitudes towards PQC, and it is now understood as a critical part of a secure future. Now, it is going to be exciting to see more and more applications and systems transition to this next generation of asymmetric cryptography," Peter Schwabe, cryptographic engineering professor and PQShield advisory board member, said in a statement.

The NIST announcement comes after a busy few months. US President Joe Biden has issued two related directives, to foster better quantum technology research within government and to guide agencies to a post-quantum cryptographic standard. Any digital system that uses public standards for public-key cryptography could be vulnerable to an attack by quantum computers in the future. A White House memo in January called for government agencies to identify any encryption not compliant with quantum-proof standards and provide a timeline towards transition.

The agency plans to include four additional algorithms before finalizing the cryptographic standard. The schemes BIKE, Classic McEliece, HQC, and SIKE are expected to be considered.

"In practice, this means that CSOs need to take stock of their organization's ability to rapidly switch the cryptographic algorithms that underpin your data security, without upending your entire infrastructure- an approach commonly known as being 'crypto-agile,'" says Edlyn Teske, a senior expert with Cryptomathic, which specializes in cryptography for e-commerce security systems.

NIST Picks Four Quantum-Resistant Cryptographic Algorithms

Company says it is making changes to its security controls to prevent malicious insiders from doing the same thing in future; reassures bug hunters their bounties are safe.

HackerOne has fired one of its employees for collecting bug bounties from its customers after alerting them to vulnerabilities in their products — bugs that had been found by other researchers and disclosed privately to HackerOne via its coordinated vulnerability disclosure program.

HackerOne discovered the caper when one of its customers asked the organization to investigate a vulnerability disclosure that was made outside the HackerOne platform in June. The customer, like other clients of bug bounty programs, uses HackerOne to collect and report vulnerabilities in its products that independent security researchers might have discovered. In return, the company pays a reward — or bug bounty — for reported vulnerabilities.

In this instance, the HackerOne customer said an anonymous individual had contacted them about a vulnerability that was very similar to another bug in its technology that a researcher had previously submitted via the HackerOne platform.

Bug collisions — where two or more researchers might independently unearth the same vulnerability — are not uncommon. "However, this customer expressed skepticism that this was a genuine collision and provided detailed reasoning," HackerOne said in a report summarizing the incident. The customer described the individual — who used the handle "rzlr" — as using intimidating language in communicating information about the vulnerability, HackerOne said.

**Malicious Insider**

The company's investigation of the June 22, 2022, tip almost immediately pointed to multiple customers likely being contacted in the same manner. HackerOne researchers began probing every scenario where someone might have gained access to its vulnerability disclosure data: whether someone might have compromised one of its systems, gained remote access some other way, or if the disclosure had resulted from a misconfiguration. The data quickly pointed to the threat actor being an insider with access to the vulnerability data.

HackerOne's investigators then looked at their log data on employee access to vulnerability disclosures and found that just one employee had accessed each of the disclosures that customers reported as being suspicious. "Within 24 hours of the tip from our customer, we took steps to terminate that employee's system access and remotely locked their laptop pending further investigation," HackerOne said.

The company found the former employee had created a fictitious HackerOne account and collected bounties for a handful of disclosures. HackerOne worked with the relevant payment providers in each instance to confirm the bounties were paid into a bank account connected with the now-former employee. By analyzing the individual's network traffic, the investigators were also able to link the fictitious account to the ex-employee's primary HackerOne account.

**Undermining Trust**

Mike Parkin, senior technical engineer at Vulcan Cyber, says incidents like this can undermine the trust that is key to the success of crowdsourced vulnerability disclosure programs such as the one that HackerOne manages. "Trust is a big factor in vulnerability research and can play a large part in many bug bounty programs," Parkin says. "So, when someone effectively steals another researcher's work and presents it as their own, that foundational trust can be stretched."

Parkin praised HackerOne for being transparent and acting quickly to address the situation. "Hopefully this incident won't affect the vulnerability research ecosystem overall, but it may lead to deeper reviews of bug bounty submissions going forward," he says.

HackerOne said the former employee — who started only on April 4 — directly communicated with a total of seven of its customers. It urged any other customers that might have been contacted by an individual using the handle rzlr to contact the company immediately, especially if the communication had been aggressive or threatening in tone.

The company also reassured hackers who have signed up for the platform that their eligibility for any bounties they might receive for vulnerability disclosures had not been adversely impacted. "All disclosures made from the threat actor were considered duplicates. Bounties applied to these submissions did not impact the original submissions."

HackerOne said it would contact hackers whose reports the ex-employee might have accessed and attempted to resubmit. "Since the founding of HackerOne, we have honored our steadfast commitment to disclosing security incidents because we believe that sharing security information is essential to building a safer Internet," the company said.

Following the incident, HackerOne has identified several areas where it plans to bolster controls. These include improvements to its logging capabilities, adding employees to monitor for insider threats, enhancing its employee screening practices during the hiring process, and controls for isolating data to limit damage from incidents of this type.

Jonathan Knudsen, head of global research at Synopsys Cybersecurity Research Center, says HackerOne's decision to communicate clearly about the incident and its response to it is an example of how organizations can limit damage. "Security incidents are often viewed as embarrassing and irredeemable," he says.

But being completely transparent about what happened can increase credibility and garner respect from customers. "HackerOne has taken an insider threat incident and responded in a way that reassures customers that they take security very seriously, are capable of responding quickly and effectively, and are continuously examining and improving their processes," Knudsen says.

HackerOne Employee Fired for Stealing and Selling Bug Reports for Personal Gain

A widespread campaign uses more than 24 malicious NPM packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps, analysts report.

A routine scan of the NPM open source code repository in April turned up several packages using a JavaScript obfuscator to hide their true function. 

After further investigation, analysts with ReversingLabs reported they have uncovered a campaign dating back at least six months that used more than two dozen malicious NPM modules to steal data from sites and applications. All together, the team found that 27,000 instances of the malicious NPM packages had been downloaded. 

"While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands, of downstream mobile and desktop applications as well as websites," the ThreatLabs researchers explained in a blog post. "In one case, a malicious package had been downloaded more than 17,000 times."

**Attack Relies on Typo-Squatting **

The attack relies on so-called typo-squatting, where threat actors disguise malicious code packages with names very close to legitimate ones, including subtle naming variations and common misspellings, the researchers said. 

For instance, one of the malicious packages lurking in the NPM repository is named "umbrellaks," an attempt to hijack developers looking for the popular document object model (DOM) framework "umbrellajs," the ReversingLabs team added. 

What makes this supply chain reminiscent of the SolarWinds attack, the analysts pointed out, is the fact that the target isn't the developer inadvertently using the malicious code but, rather, the target site or application further down the software supply chain.

"This attack marks a significant escalation in software supply-chain attacks," according to the ReversingLabs malicious NPM report. "Malicious code bundled within the NPM modules is running within an unknown number of mobile and desktop applications and web pages, harvesting untold amounts of user data."

Most of the malicious open source modules are still are still available, despite the analysts reporting their findings to NPM on July 1, they added. The report contains a list of affected packages.

Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data

As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.

Everyone uses browsers to access a wide range of networked systems, from shopping sites to enterprise management. As a result, browsers collect tons of sensitive information — from passwords to credit card data — that hackers are eager to get their hands on.

Moreover, browser vendors frequently add new features, which increases the risk of flaws in program code that hackers can exploit. And even though there seem to be a lot of different Web browsers, there are actually just two open source browser engines. Chrome, Vivaldi, Brave, and many other browsers are all built on the same engine, Chromium.

Even Microsoft killed Internet Explorer in 2021 and switched to Chromium with Edge. The only surviving alternative to Chromium is Mozilla Firefox, which uses a different engine; all the other browsers are proprietary corporate tools like Apple Safari. As a result of this consolidation, adversaries can closely focus on undercovering the vulnerabilities in the two browser engines.

**The Latest Critical Web Browser Vulnerabilities  
**Every month, we see myriad serious new Web browser vulnerabilities. In the first half of 2022, Chrome has announced three zero-day vulnerabilities. By exploiting CVE-2022-0609, hackers can corrupt data and execute code on vulnerable systems. CVE-2022-1096, which was discovered in the wild, affects the JavaScript V8 engine. CVE-2022-1364, which was also discovered in the wild, can be exploited to trigger remote code execution on a targeted system, and affects not just the nearly 3 billion users of Chrome, but also everyone using any other Chromium-based browser.

Mozilla is not immune from vulnerabilities, either. So far in 2022, we've seen CVE-2022-22753, a high-severity vulnerability that can enable an adversary to get admin rights in Windows; CVE-2022-22753, which could be abused to gain access to an arbitrary directory; and CVE-2022-1802 and CVE-2022-1529, which could be exploited to enable JavaScript code execution.

The problem is not just serious but growing: In the first quarter of 2022 alone, Chrome fixed 113 vulnerabilities, 13% more than in the same period in 2021, while Firefox fixed 88 vulnerabilities, a 12% jump from the first quarter of 2021. These increases make browsers a top target for hackers.

**How Hackers Attack Browsers  
**Hackers use multiple techniques to exploit browser vulnerabilities. Occasionally, they will discover a vulnerability that enables them to download and execute malicious code when a user simply visits a compromised site. From there, the code can download other malicious packages or steal sensitive data. Plug-ins are a common vector for these "drive-by download" attacks.

A more common tactic, however, is for hackers to send phishing emails that contain exploit kits targeting Web browsers. Indeed, Cisco's 2021 cybersecurity threat trend report found that about 90% of data breaches were due to phishing. A person clicks on a link in a phishing email, which opens a malicious page in their browser, which can exploit an unpatched vulnerability in the browser to deploy malware or steal data stored in the browser. For example, Magnitude actively targeted Chromium in October 2021.

**Strategies to Mitigate Risk From Browser Vulnerabilities  
**Organizations should combine multiple techniques to reduce their risk from browser vulnerabilities. The first is to keep all browsers updated. However, patching browsers can be problematic. Research shows that 83% of users run versions of Chrome that are vulnerable to zero-day attacks that have already been identified by Google. One reason is simply that many users do not like rebooting their browsers, which is often required as part of an update.

Another barrier to patching is that many people install browsers under their user profiles, into folders that system administrators cannot access without special tools. To overcome these issues, automate patching for third-party apps, including browsers; ensure your IT teams can force reboots remotely in a way that is convenient to end users; and manage applications installed under user profiles.

The second measure is to enforce multifactor authentication (MFA) on all critical systems and services. That way, hackers will be unable to access those resources even if they manage to steal a user's credentials.

Third, regularly clear the browser history on users' machines to erase stored passwords, and to clear their cookies as well, since they can enable attackers to access services such as email without the user's credentials. Ensure your IT teams can perform these tasks remotely and, ideally, automate them.

Fourth, remember the human factor. Be sure to roll out an extensive cybersecurity awareness program that educates all your users about security best practices and why they should follow them. In particular, teach them how to spot phishing emails and why to avoid using browser plug-ins or extensions, especially those that don't receive regular updates. In addition, train them to choose strong and unique passwords for each website they visit and not to store passwords in their browsers; to facilitate this, give them a password management app.

Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk

The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.

A zero-day security vulnerability in Google Chrome for Android is being actively exploited in the wild, the Internet giant says.

The issue is a high-severity heap-buffer overflow bug (tracked as CVE-2022-2294) in WebRTC. WebRTC is an HTML5 specification that allows webpages to play real-time audio and video content inside the browser.

"Google is aware that an exploit for CVE-2022-2294 exists in the wild," the company said in its advisory on the issue.

As usual, Google is keeping the vulnerability's technical details close to the vest until a majority of users have updated their browsers, but heap-buffer overflows in general are memory issues that can lead to a range of bad outcomes if exploited. Possible outcomes include crashing the device, denial of service (DoS), remote code execution (RCE), and security-service bypasses.

Patrick Tiquet, vice president of security and architecture at Keeper Security, did some delving into the issue, and says that bug does indeed allow RCE.

"CVE-2022-2294 is a serious vulnerability that could lead to arbitrary remote code-execution by simply visiting a malicious website," he says. "This could enable an attacker to perform a variety of actions on a target system, such as install malware or steal information. Windows and Android Chrome users should ensure that they install the latest updates to protect themselves."  

To address the flaw, Google released Chrome 103 (103.0.5060.71) for Android on Monday – it said that the update would be rolling out on Google Play "over the next few days."

The update fixes two other security bugs as well: One is a high-severity type-confusion bug (CVE-2022-2295) in Google's V8 open source JavaScript engine, which earned a $7,500 bug bounty for reporters avaue and Buff3tts at S.S.L.; and the other is an unspecified fix that was discovered internally. Type-confusion issues can also lead to code execution, crashes, and logical efforts.

Tiquet adds, "Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets - compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser."

**Fourth Exploited Chrome Zero-Day Bug in 2022**

The WebRTC flaw is the fourth zero-day in Chrome so far this year. Notably, in April Google disclosed a type-confusion vulnerability that is already being exploited in the wild (CVE-2022-1364), which affects the JavaScript and WebAssembly engine in the browser.

Another type-confusion problem in V8 (CVE-2022-1096) was patched in March; and the third was patched in February (CVE-2022-0609), after it was exploited by a North Korean-backed state advanced persistent threat, according to the Google Threat Analysis Group (TAG).

"With so many business and cloud applications depending on a web interface, browser vulnerabilities can be problematic," Mike Parkin, senior technical engineer at Vulcan Cyber, says. "Especially one as widely used as Chrome. It’s even worse when there are known exploits in the wild that leverage the vulnerability. Fortunately, Google has already developed patches for this vulnerability on both desktop and mobile platforms and will have them rolled out quickly."

Source

DARKReading