A stored cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "start_date" Parameter

**✍️ Description**

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "start\_date" Parameter

**🕵️‍♂️ Proof of Concept**

XSS payload: '"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt>

**Steps to reproduce issue**

1- Login to Fork admin panel

2- Goto Modules=>Formbuilder

3- Turn on Burp Intercept

4- Click on "Update Filter"

5- Change value of "start\_date" parameter to 22/03/2021'"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt>

6- Forward the request and XSS will be triggered

Video POC: https://drive.google.com/file/d/12PqUfuw3RFyOcFS0HIHfTkxrpsDDtACd/view?usp=sharing

**💥 Impact**

With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

CVE-2022-35585: Cross-site Scripting (XSS) - Stored in forkcms

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_time" Parameter.

**✍️ Description**

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish\_on\_time" Parameter

**🕵️‍♂️ Proof of Concept**

Vulnerable Parameter: publish\_on\_time

XSS payload: 17:59'"()&%<yes><ScRiPt >alert(1)</ScRiPt>

**Steps to reproduce issue**

1- Login to Fork admin panel

2- Goto Modules=>Blog=>Edit

3- Turn on Burp Intercept

4- Click on "Publish"

5- Change value of "publish\_on\_time" parameter to 17:59'"()&%<yes><ScRiPt >alert(1)</ScRiPt>

6- Forward the request and XSS will be triggered

**Video POC: https://drive.google.com/file/d/1LuVfabd0NRs8xKSR3vTpchB56ScgxL2a/view?usp=sharing\`****💥 Impact**

With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

CVE-2022-35589: Cross-site Scripting (XSS) - Generic in forkcms

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_date" Parameter

**✍️ Description**

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish\_on\_date" Parameter

**🕵️‍♂️ Proof of Concept**

Vulnerable parameter: publish\_on\_date

XSS payload: '"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt>

**Steps to reproduce issue**

1- Login to Fork admin panel

2- Goto Modules=>Blog=>Edit

3- Turn on Burp Intercept

4- Click on "Publish"

5- Change value of "publish\_on\_date" parameter to 22/03/2021'"()&%<yes><ScRiPt >alert(2)</ScRiPt>

6- Forward the request and XSS will be triggered

**Video POC: https://drive.google.com/file/d/10e\_8aSNUsGolDDexhuN\_aqso5VA8671n/view?usp=sharing.**

    
    # 💥 Impact
    With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

CVE-2022-35587: Cross-site Scripting (XSS) - Generic in forkcms

The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System -- a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system.

The **Department of Homeland Security** (DHS) is urging states and localities to beef up security around proprietary devices that connect to the **Emergency Alert System** — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system.

A Digital Alert Systems EAS encoder/decoder that Pyle said he acquired off eBay in 2019. It had the username and password for the system printed on the machine.

The DHS warning was prompted by security researcher Ken Pyle, a partner at security firm Cybir. Pyle said he started acquiring old EAS equipment off of eBay in 2019, and that he quickly identified a number of serious security vulnerabilities in a device that is broadly used by states and localities to encode and decode EAS alert signals.

“I found all kinds of problems back then, and reported it to the DHS, FBI and the manufacturer,” Pyle said in an interview with KrebsOnSecurity. “But nothing ever happened. I decided I wasn’t going to tell anyone about it yet because I wanted to give people time to fix it.”

Pyle said he took up the research again in earnest after an angry mob stormed the U.S. Capitol on Jan. 6, 2021.

“I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,”’ Pyle recalled. “I went back to see if this was still a problem, and it turns out it’s still a very big problem. So I decided that unless someone actually makes this public and talks about it, clearly nothing is going to be done about it.”

The EAS encoder/decoder devices Pyle acquired were made by Lyndonville, NY-based **Digital Alert Systems** (formerly **Monroe Electronics, Inc.**), which issued a security advisory this month saying it released patches in 2019 to fix the flaws reported by Pyle, but that some customers are still running outdated versions of the device’s firmware. That may be because the patches were included in version 4 of the firmware for the EAS devices, and many older models apparently do not support the new software.

“The vulnerabilities identified present a potentially serious risk, and we believe both were addressed in software updates issued beginning Oct 2019,” EAS said in a written statement. “We also provided attribution for the researcher’s responsible disclosure, allowing us to rectify the matters before making any public statements. We are aware that some users have not taken corrective actions and updated their software and should immediately take action to update the latest software version to ensure they are not at risk. Anything lower than version 4.1 should be updated immediately. On July 20, 2022, the researcher referred to other potential issues, and we trust the researcher will provide more detail. We will evaluate and work to issue any necessary mitigations as quickly as possible.”

But Pyle said a great many EAS stakeholders are still ignoring basic advice from the manufacturer, such as changing default passwords and placing the devices behind a firewall, not directly exposing them to the Internet, and restricting access only to trusted hosts and networks.

Pyle, in a selfie that is heavily redacted because the EAS device behind him had its user credentials printed on the lid.

Pyle said the biggest threat to the security of the EAS is that an attacker would only need to compromise a single EAS station to send out alerts locally that can be picked up by other EAS systems and retransmitted across the nation.

“The process for alerts is automated in most cases, hence, obtaining access to a device will allow you to pivot around,” he said. “There’s no centralized control of the EAS because these devices are designed such that someone locally can issue an alert, but there’s no central control over whether I am the one person who can send or whatever. If you are a local operator, you can send out nationwide alerts. That’s how easy it is to do this.”

One of the Digital Alert Systems devices Pyle sourced from an electronics recycler earlier this year was non-functioning, but whoever discarded it neglected to wipe the hard drive embedded in the machine. Pyle soon discovered the device contained the private cryptographic keys and other credentials needed to send alerts through **Comcast**, the nation’s third-largest cable company.

“I can issue and create my own alert here, which has all the valid checks or whatever for being a real alert station,” Pyle said in an interview earlier this month. “I can create a message that will start propagating through the EAS.”

Comcast told KrebsOnSecurity that “a third-party device used to deliver EAS alerts was lost in transit by a trusted shipping provider between two Comcast locations and subsequently obtained by a cybersecurity researcher.

“We’ve conducted a thorough investigation of this matter and have determined that no customer data, and no sensitive Comcast data, were compromised,” Comcast spokesperson **David McGuire** said.

The company said it also confirmed that the information included on the device can no longer be used to send false messages to Comcast customers or used to compromise devices within Comcast’s network, including EAS devices.

“We are taking steps to further ensure secure transfer of such devices going forward,” McGuire said. “Separately, we have conducted a thorough audit of all EAS devices on our network and confirmed that they are updated with currently available patches and are therefore not vulnerable to recently reported security issues. We’re grateful for the responsible disclosure and to the security research community for continuing to engage and share information with our teams to make our products and technologies ever more secure. Mr. Pyle informed us promptly of his research and worked with us as we took steps to validate his findings and ensure the security of our systems.”

The user interface for an EAS device.

Unauthorized EAS broadcast alerts have happened enough that there is a chronicle of EAS compromises over at fandom.com. Thankfully, most of these incidents have involved fairly obvious hoaxes.

According to the EAS wiki, in February 2013, hackers broke into the EAS networks in Great Falls, Mt. and Marquette, Mich. to broadcast an alert that zombies had risen from their graves in several counties. In Feb. 2017, an EAS station in Indiana also was hacked, with the intruders playing the same “zombies and dead bodies” audio from the 2013 incidents.

“On February 20 and February 21, 2020, Wave Broadband’s EASyCAP equipment was hacked due to the equipment’s default password not being changed,” the Wiki states. “Four alerts were broadcasted, two of which consisted of a Radiological Hazard Warning and a Required Monthly Test playing parts of the Hip Hop song Hot by artist Young Thug.”

In January 2018, Hawaii sent out an alert to cell phones, televisions and radios, warning everyone in the state that a missile was headed their way. It took 38 minutes for Hawaii to let people know the alert was a misfire, and that a draft alert was inadvertently sent. The news video clip below about the 2018 event in Hawaii does a good job of walking through how the EAS works.

Sounding the Alarm on Emergency Alert System Flaws

Tech support scammers are leveraging social media giant Facebook to lure users into clicking on a viral article.



(Read more...)




The post Viral video drives malvertising on social media platform appeared first on Malwarebytes Labs.

Posted: August 12, 2022 by

_This blog post was authored by Jérôme Segura_

Viral content shared on social media is highly coveted since it gets a lot of impressions and engagement. Unfortunately, the people who push this kind of content don't always have the best of intentions.

We recently identified a malvertising campaign on Facebook that uses a cute story that gained attention last year. The fraudsters are luring potential victims into clicking on its link so that they are conditionally redirected to a fake tech support page.

This technique is far from being new but yet still works really well and deserves to be analyzed once again so that affected parties better understand how they are being abused.

**Too cute to be true**

The scam starts with the sweet story of a man who jumped out of his car at a traffic light to have his puppy meet another dog. This moment was shared on a number of platforms last year and could melt any animal lover's heart.

We saw this post on Facebook and it has been viewed and shared since at least mid July. Yet, in this case, the link is a trap set to redirect potential victims to a malicious page known as a browser locker. While it does not actually 'lock' anything, the page displays fake messages about computer viruses and entices users to call for assistance. What follows after are the well-known tech support scams.

**Cloaking games**

In order to evade detection and remain active for as long as possible, these fraudulent schemes use a simple technique known as cloaking. The idea is to only display the malicious page in specific scenarios while showing legitimate content the rest of the time.

Here are some examples of filters that threat actors may use to their advantage:

*   IP address
    *   Geolocation (country and city)
    *   Internet Service Provider (ISP)
*   Browser user-agent
    *   Operating system (Windows, Mac, Mobile)
    *   Browser name and version
*   Referer (the site visited just before)
*   Cookies
*   Time zone

In other words, for a given campaign a target may be: people living on the US's west coast using Windows 10 and Google Chrome with a valid Facebook referer clicking on the link for the first time after 6 PM on weekdays. For the rest of the time and other visitors, a decoy page will be shown instead:

**The proverbial 'smoking gun'**

When it comes to reporting such abuses, most registrars, hosting companies and platforms will require some hard evidence unless you have worked with them in the past and they already trust the information you pass along.

While a video capture is a pretty damning piece of evidence, it may not necessarily be enough to convince a provider especially if they aren't able to reproduce the issue on their side. Because of cloaking, finding that smoking gun can literally take hours of frustrated attempts until finding the right combination of parameters. In fact, in some cases you may have to wait for when the scammers manually activate a redirect for a specific time window.

Running a web proxy is often invaluable to capture the event as it is happening as well as hard evidence of the suspected behavior. For example, what we see below are the request and response headers for the domain performing cloaking.

*   The request headers show the host (fnbchecklagsin\[.\]com) the referer (Facebook) and the full URI we requested (GET)
*   The response headers show that the server responded with the HTTP 302 code which indicates a redirect to a new location (browser locker)

Essentially, the malicious remote server did not even serve the decoy content but immediately redirected our browser to the tech support scam page.

We have reported this incident to the registrar (NameCheap), the hosting provider (DigitalOcean) and the platform (Facebook) abused to spread this scam. Malwarebytes users were already protected thanks to our Browser Guard extension.

**RELATED ARTICLES**

Viral video drives malvertising on social media platform

Unusually, SOVA, which targets US users, now allows lateral movement for deeper data access. Version 5 adds an encryption capability.

The Android banking Trojan SOVA is back and sporting updated capabilities — with an additional version in development that contains a ransomware module.  

Researchers at Cleafy, which documented the resurgence of SOVA, say that version 4 appears to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. Spain appears to be the country most targeted by the malware, followed by the Philippines and the US.

The SOVA v4 malware is hidden within fake Android applications disguised by the logos of popular apps including Chrome and Amazon. The latest version includes a refactored and improved cookie-stealer mechanism, which can now specify a list of targeted Google services and other applications. In addition, the update allows the malware to protect itself by intercepting and deflecting attempts made by victims to uninstall the app.

Also in the latest versions of SOVA, attackers can control the specific targets via the command-and- control (C2) interface. This increases the adaptability of the malware to a large variety of attack scenarios.

In addition, it has capabilities that allow attackers to grab screenshots, and to record and execute commands. This enables an attacker to look for ways to laterally move around to other systems or applications that might be more lucrative.

"The most interesting part is related to the \[virtual network computing\] capability," the report notes. "This feature has been in the SOVA roadmap since September 2021 and that is strong evidence that \[threat actors\] are constantly updating the malware with new features and capabilities."

**Ransomware on the Horizon**

The Cleafy team also found evidence that suggested that an additional version of the malware, version 5, is in development and will include a ransomware module that had previously been announced in a September 2021 development roadmap.

"The ransomware feature is quite interesting as it’s still not a common one in the Android banking-trojan landscape," Cleafy researchers note. "It strongly leverages on the opportunity that has arisen in recent years, as mobile devices became for most people the central storage for personal and business data."

Cory Cline, senior cyber security consultant at nVisium, says that adding ransomware capabilities to a banking Trojan offers plenty of upside to cybercriminals.

"No longer do they need to steal your personal data to get access to your financial information," he explains. "With ransomware capabilities, attackers can now encrypt affected devices."

He adds that with more and more people storing nearly every aspect of their lives on their mobile devices, attackers will be able to more easily find targets willing to pay to get access to their data returned.

"The team behind SOVA has demonstrated a new level of sophistication," he says. "The feature set is fairly unique to the Android banking Trojan scene, and SOVA is one of the most feature-rich Android banking Trojans available."

However, he points out that the team behind SOVA has opted to implement RetroFit for C2 as opposed to writing its own solution.

"This could speak to some limitations in the development team," Cline says.

**Banking Trojans Get Boost From Added Capabilities**

Other banking Trojans have also resurfaced with updated features to help skate past security, including Emotet, which re-emerged earlier this summer in a more advanced form after having been taken down by joint international task force in January 2021.

Joseph Carson, chief security scientist and Advisory CISO at Delinea, says that improving and evolving existing Android banking Trojans has many advantages.

"The significant improvements to SOVA v4 and SOVA v5 show that attackers can simply expand existing features such as the cookies stealer, which now includes more payment services and applications to exploit," he points out. "New modules such as those targeting cryptowallets demonstrate that attackers see cryptocurrencies as a lucrative target."

He explains that adding ransomware capabilities can have multiple advantages for attackers, such as destroying evidence. That makes it difficult for digital forensics to discover any traces or attribution of the attacker, and gives the attacker an additional option to get paid when stealing credentials or cookies is not successful.

"As new Internet services specifically in the financial industry get adopted," Carson says, "attackers will need to keep updating banking Trojans with new modules just like any other software company to stay compatible with newer technologies."

Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan

Researcher shows how Instagram and Facebook’s use of an in-app browser within both its iOS apps can track interactions with external websites.

Researcher shows how Instagram and Facebook’s use of an in-app browser within both its iOS apps can track interactions with external websites.

Users of Apple’s Instagram and Facebook iOS apps are being warned that both use an in-app browser that allows parent company Meta to track ‘every single tap’ users make with external websites accessed via the software.

Researcher Felix Krause, who outlined how Meta tracks users in a blog posted Wednesday, claims that this type of tracking puts users at “various risks”. He warns both iOS versions of the apps can “track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap” via their in-app browsers.

iOS users’ concerns over tracking were addressed by Apple’s 2021 release of iOS 14.5 and a feature called App Tracking Transparency (ATT). The added control was intended to require app-developers to get the user’s consent before tracking data generated by third-party apps not owned by the developer. Krause said that both iOS apps Facebook and Instagram are using a loophole to bypassed ATT rules and track website activity within their in-app browsers via the use of a custom JavaScript code used in both in-app browsers. That means, when an iOS user of Facebook and Instagram click on a link within a Facebook and Instagram post (or an ad), Meta launches its own in-app browser which can then track what you do on external sites you visit.

****Meta’s Use of a JavaScript Injection** **

“The Instagram \[and Facebook\] app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause wrote.

A PCM.JS code, according to the researcher, is an external JavaScript file injected into websites viewed within the in-app browser. The code is used by both apps and enables both apps to build a communication bridge between in-app website content and the host app. Additional technical information regarding the PCM.JS can be found here.

Meta responded to Krause’s research with a statement published by The Guardian:

“We intentionally developed this code to honour people’s \[Ask to track\] choices on our platforms… The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”

****In-App Browsers and Privacy Risks****

The use of in-app browsers, whether it be Meta’s or another company’s, presents a host of privacy risks, according to Krause. For starters it could allow a company to collect browser analytics, such as taps, input, scrolling behavior and copy-and-paste data without unambiguous user consent.

In-app browsers could also be used as a loophole by a firm to steal user credentials and API keys used in host services or inject ads and referrals links to siphon ad revenue from websites, the researcher noted. While citing these as examples, Krause is not accusing Meta of any of these actions.

“As my understanding goes, all of \[these privacy concerns\] wouldn’t be necessary if Instagram were to open the phone’s default browser, instead of building & using the custom in-app browser,” he wrote.

****FUD-busting FAQ****

While Krause’s research has sparked outrage with privacy activists and he is careful to temper his research with answers to questions raised by his research.

*   **_Can Instagram/Facebook read everything I do online?_** _No! Instagram is only able to read and watch your online activities when you open a link or ad from within their apps._
*   **_Does Facebook actually steal my passwords, address and credit card numbers?_** _No! I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it’s possible for a company to get access to data legally and for free, without asking the user for permission, they will track it._
*   **_Is Instagram doing this on purpose?_** _I can’t say how the decisions were made internally. All I can say is that building your own in-app browser takes a non-trivial time to program and maintain, significantly more than just using the privacy and user-friendly alternative that’s already been built into the iPhone for the past 7 years._

Krause offers advice to privacy-minded users of the apps and suggests that, “whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dots in the corner to open the page in Safari instead.” Safari, he points out, already blocks third party cookies by default.

The researchers is also careful to point out that he does not have a precise list of data both apps send back to Meta. “I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JavaScript SDK without the user’s consent, as well as tracking the user’s text selections,” he wrote.

****Apple’s 11-Word Response****

In July, Apple upped its privacy game and announced a feature called Lockdown Mode that is said offered as “an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.”

The researcher filed what is called an Open Radar Community Bug Report with Apple last month claiming “iOS Lockdown Mode allows custom in-app webviews, host apps can steal information.”

Apple responded within a comment to the report simply stating “Thanks for your report. This isn’t what Lockdown Mode is for.”

Meta responded directly to Krause’s report stating the PCM.JS JavaScript is used to “helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.”

Meta explained to Krause that it respects Apple’s App Tracking Transparency (ATT) rule, which requires app developers to get permission before tracking. The researcher notes that opting out of Meta’s in-app browser tracking is dependent on a third-party website’s use of what is called a Meta Pixel. A Meta Pixel is a “a snippet of JavaScript code that allows you to track visitor activity on your website,” according to a Meta developer description.

The researcher acknowledges that Meta is following ATT rules.

“According to Meta, the script injected (pcm.js) helps Meta respect the user’s ATT opt out choice, which is only relevant if the rendered website has the Meta Pixel installed,” Krause wrote.

Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’

Social media company Meta said it will begin testing end-to-end encryption (E2EE) on its Messenger platform this week for select users as the default option, as the company continues to slowly add security layers to its various chat services.
"If you're in the test group, some of your most frequent chats may be automatically end-to-end encrypted, which means you won't have to opt in to the

Social media company Meta said it will begin testing end-to-end encryption (E2EE) on its Messenger platform this week for select users as the default option, as the company continues to slowly add security layers to its various chat services.

"If you're in the test group, some of your most frequent chats may be automatically end-to-end encrypted, which means you won't have to opt in to the feature," Sara Su, product management director of Messenger Trust, said.

The incremental development comes a year after it turned on E2EE for audio and video calls on the messaging service as well as for one-on-one chats in Instagram, and enabled encrypted chat backups for WhatsApp on Android and iOS.

E2EE is a secure communication mechanism that scrambles data in transit and prevents third-parties from unauthorizedly accessing information sent from one endpoint to another, including Meta.

"This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them," Meta-owned WhatsApp explains in its documentation.

It's worth pointing out that Meta flipped the switch on E2EE chats in Messenger in January 2022 on an opt-in basis, meaning it requires users to explicitly turn it on to avail the privacy and security guarantees.

**End-to-End Encrypted Chat Backups**

What's more, the encrypted backup feature is being ported over to Messenger too in the form of a feature it calls Secure Storage that allows users to create a PIN or a code, which can then be used to restore the chats on a new device.

Further changes encompass an expansion of E2EE trials on Instagram and the removal of vanish mode in Messenger while retaining disappearing messages, which lets messages be automatically erased after a chosen time period.

In addition, it's extending the Code Verify safeguards it introduced earlier this March to ensure the integrity of WhatsApp Web to include the desktop web version of Messenger.

The updates arrive ahead of a global rollout of default end-to-end encryption for personal messages and calls across Instagram and Messenger in 2023. As it stands, WhatsApp is the only Meta product to be end-to-end encrypted out of the box.

They also come in the immediate aftermath of news that Meta shared Messenger chats with law enforcement in a criminal case concerning a 17-year-old's abortion in the U.S. state of Nebraska, something that was made possible only because conversations on Messenger are still stored in cleartext.

The company, which is facing significant blowback, has since sought to emphasize that the "warrants did not mention abortion at all" and that "police were at that time investigating the alleged illegal burning and burial of a stillborn infant."

The encryption barriers have also been a point of contention with governments who say the system hinders their ability to counter serious crime like child sexual abuse harms.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Facebook Testing Default End-to-End Encryption and Encrypted Backup in Messenger

During a keynote at Black Hat 2022, former CISA director Chris Krebs outlined the biggest risk areas for the public and private sectors for the next few years.

BLACK HAT USA — Las Vegas — A potential invasion of Taiwan should be top of mind for any entity, as geopolitical factors will continue to affect cybersecurity risk profiles.

That's the word from Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency (CISA) who now runs a consultancy with former Facebook CISO Alex Stamos (the appropriately named Krebs Stamos Group). He took to the stage at Black Hat USA 2022 to talk about what will be driving the risk landscape in the next few years.

Krebs was fired from CISA for insisting the 2020 election was secure and fraudless ("We insist that we were successful — it was a singularly important moment in American history," he said at Black Hat. "And I think we did a pretty damn good job.") In the 18 months since, he has hit the road, talking to officials in the private sector, global governments, and state and local entities.

"I wanted to find consensus on what the trend lines are out there, the market pressures and the coming inflection points that are influencing technology, governments, bad actors, and people," he said.

In addition to geopolitical headwinds, Krebs noted that digital transformation, along with ever-increasing cyber-offensive capabilities from the bad guys, should have both the public and the private sectors on notice — or they risk falling hopelessly behind.

**Taiwan Looms as Geopolitical Pressures Accelerate**

In the last six months alone, there has been an unprecedented collision between geopolitical risks and technology risks — and this will only continue, according to Krebs. In addition to the ongoing war in Ukraine, Taiwan is a hotspot to watch.

"Leaders need to plan out beyond the next two quarters," he noted. "You have to look three to four years out, and every single company out there should be conducting simulation scenarios, impact assessments, tabletop exercises at the executive level around what's happening in the Taiwan Strait."

A Chinese invasion of Taiwan has the potential to impact organizations across the board, especially affecting the technology supply chain, competition and markets, and IT operations.

"Political headwinds have big effects and you have to game these things out," Krebs noted. "I don't know if it's going to happen tomorrow, next year, or three, four years out, but based on the conversations I have with national-security officials, they're pretty confident that's going to come to a head between China and Taiwan."

He added, "And if you want to be in a position to de-risk your operations, you have to start that yesterday."

While nation-state and advanced persistent threats (APTs) tend to be discussed in the context of China, Iran, North Korea, and Russia, Krebs noted that this is about to become a much bigger space to be concerned with.

"Literally every country on the face of this earth is developing capabilities for espionage for domestic surveillance," he warned. "And yeah, they're also looking at capabilities for destruction and disruption. There are going to be splashy, new, and novel events in the near future."

Against this backdrop, companies will also have to tabletop their responses to world events with an eye to ethics, he urged.

"You have to have a set of principles," he said. "You have to establish your values, who you are, what your red lines are. When Russia invaded Ukraine, we were working with a couple of different companies that said, look, we're not impacted by sanctions, so we're good, we don't really need to worry about it. Our take was, when images of war crimes start showing up on TV, and on Twitter and elsewhere, you're going to have a problem. You're continuing to support the Russian war machine."

**Insecurity in the Cloud, by Design**

Krebs also noted that as the COVID-19 pandemic drove an acceleration to the cloud and digital transformation, it became clear that the benefits of insecure products far outweigh the downsides.

"That's because we operate inside a larger ecosystem, inside businesses that are focused on productivity and reducing friction, and they tend to see security as slowing things down when you want to be first to market," he explained. "So we're building more products that are insecure by design because of the market pressures."

Meanwhile, as the ongoing mass migration to the cloud is being done in an effort to increase flexibility, elasticity, productivity, and efficiency, an ancillary result was a reduction in the ability for firms to see what's happening across their infrastructure.

"We've made it more complex, and we've also started adding on additional products, the infrastructure on the platforms, and we have this explosion of software-as-a-service (SaaS) opportunities and options out there," Krebs said. "Those are all opportunities for the bad guys to come in and get what they want. Do you really understand how the cloud works across the various hyperscale vendors and how you interact with it?"

Cybercriminals understand these shifts in business architecture, along with the dependencies and the trust connections housed within the relationships between software services and technology providers; this, he warned, will continue to foment more attacks against the supply chain and managed service providers.

Further complicating matters is the ongoing proliferation of connected things, which all come with potentially insecure cloud apps.

"I think we all agree there's going to be more stuff connected, because we have a pathological need to connect things to the Internet, seemingly," he said. "Three, four years into the future there are going to be more things around you that are collecting and generating data. These things are generating an incredible amount of data exhaust, digital exhaust, and it's becoming more complex, not less."

He noted that William Gibson had this reality pegged when he released the book _Neuromancer_ in 1984.

"He coined the term 'cyberspace,'" Krebs said. "But it's how he described cyberspace that was so captivating — the unthinkable complexity of cyberspace. We're there right now."

**Public Sector Concerns: Security Work to Do**

The next future concern on the Krebs list is the fact that the US government is struggling with balancing market interventions and regulation with the capitalist desire to allow innovation to grow.

"We see an overreliance on checklists and compliance rather than performance-based outcomes, so we're not getting the security-related outcomes we want," he noted, adding that to boot, what oversight does exist isn't implemented well.

"Congress needs to figure it out as well, and needs to establish select committees in the House and Senate that consolidate oversight over the various departments and agencies, particularly in the civilian branch," Krebs said. "We have 101 civilian agencies, and every single one of them is running their own email service. So, we've got to fix that."

On the law enforcement side, the Department of Justice and FBI have been consistently tackling the ransomware issue, which Krebs called "the right moves."

"They're going more aggressively at the adversary at the command-and-control level," he explained. "But we need to shift from longer-term investigations towards more disruptive actions aimed at imposing costs and eliminating ransomware's ability to extract value from companies here in the US.

Ransomware has become professionalized, he noted, and cyberattackers' capabilities just keep getting better and better.

"The barriers to entry have dropped, and now, they have access to exploits that were the remit of nation-states," he said. "They're profiting, and it's not costing them anything; they're getting their wins. And until we create meaningful consequences, and impose costs on them, they will continue to."

**Workforce Challenges Continue**

When it comes to the infamous lack of qualified people to fill 3 million open cybersecurity roles, the situation is confounding given how rewarding a career it can be, Krebs said.

"The first thing is, it's fun. Second is, it's lucrative," he noted. "We get paid pretty well in this industry. And third, relatedly, it's durable; we're going to be dealing with these challenges for the rest of our lives, perhaps the rest of human history. And then last thing is, these are national security issues. The mission we're doing is incredibly important."

That said, the US workforce over all is becoming increasingly tech-native, which he's optimistic about.

"We're getting critical thinking skills coming along with the technology savviness that we're looking for," he said.

While there's much to think about going forward, and to act on today, Krebs did say that there are reasons to be hopeful about the chances for businesses to keep up with the risk landscape.

"As evidenced by Black Hat USA at 25, we have a maturing industry," he said. "We're producing and generating products that are solving problems. We have technology vendors that are working to solve problems in the infrastructure."

Krebs: Taiwan, Geopolitical Headwinds Loom Large

The Microsoft Bug Bounty Programs and partnerships with the global security research community are important parts of Microsoft’s holistic approach to defending customers against security threats. Our bounty programs incentivize security research in high-impact areas to stay ahead of the ever-changing security landscapes, emerging technology, and new threats. Security Researchers help us secure millions of …
  Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards Read More »

The Microsoft Bug Bounty Programs and partnerships with the global security research community are important parts of Microsoft’s holistic approach to defending customers against security threats. Our bounty programs incentivize security research in high-impact areas to stay ahead of the ever-changing security landscapes, emerging technology, and new threats. Security Researchers help us secure millions of customers by discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure.

Over the past 12 months, Microsoft awarded $13.7M in bug bounties to more than 330 security researchers across 46 countries. In the last year, the largest award was $200,000 under the Hyper-V Bounty Program, and the average award was more than $12,000 across all our programs, demonstrating the high impact research from one of the largest and most diverse global security research communities.

**What has changed in the past year?**

We are constantly evolving our programs and partnerships to meet the changing threat landscape. A key element of this maturing process is listening to feedback from researchers to remove barriers to entry and better facilitate research efforts. This year, we introduced a new research challenge and new high-impact attack scenarios across many of our programs to award research focused on the most critical areas to customer security. The addition of these attack scenarios to our Azure, Dynamics 365 and Power Platform, and M365 bounty programs helps to focus research on the highest impact cloud vulnerabilities including areas like Azure Synapse Analytics, Key Vault, and Azure Kubernetes Services.

**New and Updated Bug Bounty and Research Programs**

*   Azure SSRF Research Challenge, launched August 2021
*   Azure Bounty Program, added high-impact research scenarios August 2021
*   Edge Bounty Program, added Android/iOS to scope October 2021
*   Microsoft Researcher Recognition Program, expanded recognition categories and swag February 2022
*   Applications and On-Premises Servers Bounty Program, added Exchange, Skype, and SharePoint on-premises April 2022
*   M365 Bounty Program, added high-impact research scenarios April 2022
*   Dynamics 365 and Power Platform Bounty Program, added high-impact research scenario & Power Platform to scope April 2022

We believe partnerships with the global security research community are an essential part of protecting customers, and we will continue to invest in and evolve our bounty programs as a part of strengthening these partnerships. Thank you to all the researchers who shared their research with Microsoft this year to help secure millions of Microsoft customers.

_Lynn Miyashita and Madeline Eckert_

_MSRC_

Tag

#ios