The Week in Cybersecurity
Security professionals rejoice! Like a zombie, Flash has lived on for far too long. It's security flaws are legendary. Glad to see Adobe is making the right, albeit difficult, choice to EOL in 2020 . Ironically, after EOL, Adobe will not publish updates or patches which will make legacy installs more insecure for those who have not migrated to different solutions (HTML5, WebGL, etc.).
How do you launder $4 billion? Cryptocurrency. This is one reason that cyber and organized criminals continue to be drawn to Bitcoin and other the next generation cryptocurrencies like Zcash, Monero, and others which provide even more privacy and anonymity.
An interesting study in how ransomware operators are using aspects of scarcity, authority, and consequence to influence victims to pay. They are taking pages from marketing and sales playbooks.
It is important to understand that not all attackers are the same. There are varying archetypes that differ in motivation, capabilities, and objectives. This largely determines their targets, persistence, and methods. Cyber-criminals are motivated by financial gain, they typically look for the easiest victims that will satiate their goals. Methods will vary across technical and behavioral vulnerabilities, but align to the path-of-least-resistance axiom. If you want to familiarize yourself with a comprehensive picture of different archetypes, take a look at the Threat Agent Library or other similar lists.
It always fascinates me when we see hardware based attacks. There is a certain level of purpose, complexity, and planning involved in such exploits. It shows that threats are willing to make interesting trade-offs when it comes to pursuing their goals. This gives us insights to their range of actions, technical competencies, and level of commitment. It also provides opportunities to interdict threat-agents as they pursue such paths.
The convergence of cyber and physical security mandates a greater level of scrutiny when it comes to matters of life-safety. Connecting devices to the internet or other electronic mechanisms inherently introduces a number of new vulnerabilities. For items that potentially hold the safety of people in the balance, it should not be done without proper planning, design, testing, and sustaining support. Failure could be catastrophic.