Google has added a novel scam-fighting technique to the beta version of its newest Android operating system, and the company deserves kudos for that.  Essentially, a software tweak will prevent users from installing (“sideloading”) rogue apps  during a phone call — adding friction to a tactic criminals often try.   It’s unclear how effective this small change might be,  but it’s great Google engineers are thinking this way.

Android Authority has all the details.

As many of you know, one of my jobs is to host The Perfect Scam podcast for AARP.  Every week I interview the victim of a horrible crime, and tell their entire story from soup-to-nuts. I’ve done more than 100 of these episodes now, and I’m incredibly proud of the work we’ve done, and very grateful to AARP for its ongoing investment to help protect people from fraud. These podcasts also create a valuable library of criminal tactics and techniques, along with a realistic view of victims’ plight.

Many emotional, societal, and financial factors contribute to making people vulnerable to romance scams, crypto scams, impersonation scams, etc. It’s easy to imagine you and your loved ones would never be the victim of such a crime, but you’re dangerously wrong. Any of us can be victimized under the right circumstances. A massive, global, and very profitable industry that’s fueled by human trafficking is now devoted to creating those “right circumstances,” and soon, artificial intelligence will be a large part of their playbook.

I often point out that every one of my stories involves touchpoints with multiple technology companies which enable these crimes.  The victim is first contacted by Facebook messenger via an affiliate group; the conversation escalates on WhatsApp; the fake customer service number ranks high on Google; the money is sent through cryptocurrency.  You get the idea.  Tech companies can and must do more to uncover criminal tactics and at least not make things so easy for the bad guys.  Some firms don’t have a great track record of this. Meta is very, very slow to take down impersonation accounts that are used for ongoing crimes, for example.

So I’m glad to throw some flowers at Google today. One technique a criminal can use is to call a victim, engage them in conversation (“We’re from your Internet provider and your modem has been hacked!”) and then walk them through sideloading a malicious app on their phone.  Google’s Android smartphone software (which I prefer) has always been more dangerous than Apple’s software because Android is a more open system. So disabling the sideloading of apps during a phone call is a good step; it’s hard to imagine a need for that capability.  Naturally, a criminal could tell a victim to hang up, install the software, and then call back. But as Android Central put it, adding this speed bump will certainly help a little, and it might help a lot. AARP research has shown that any conversation with a third party can stop a scam in its tracks, so the hang-up-and-call-back friction might create a moment for such conversations. It won’t hurt, anyway.

I’d love to see more engineers step up and add speedbumps that are designed to frustrate criminals.  If you have any ideas, I’m all ears. And I’ve got more flowers to throw!

 

 

Despite advances in cybersecurity technologies, including artificial Intelligence (AI), organizations continue to find it difficult to detect and prevent ransomware attacks.

Research conducted by The Ponemon Institute and sponsored by Illumio, Inc. has found that eighty-eight percent of organizations experienced one or more ransomware attacks in the past three months to more than 12 months. According to the research, based on the hours and practitioners involved organizations spent an average of $146,685 to contain and remediate the largest ransomware attack experienced. In 2021, the average cost was slightly higher at $168,910.

---

An on-demand Webinar with many more details
on the research is available for free at Illumio’s website. 

---

The purpose of this research is to learn the extent of the ransomware threats facing organizations and the steps being taken to mitigate the risks and their consequences. Ponemon Institute surveyed 2,547 IT and cybersecurity practitioners in the U.S. (578), U.K. (424), Germany (516), France (471), Australia (256) and Japan (302) who are responsible for addressing ransomware attacks.

In addition to the 2024 findings, the report also presents research from a ransomware study Ponemon Institute conducted in 2021 and published in 2022. A comparison of the studies reveals changes in ransomware risks and the practices used to reduce the threats in the past three years. Since 2021, while the perception that their organization is a target of ransomware has declined from 68 percent to 54 percent of respondents, the consequences of a ransomware attack such as downtime, loss of significant revenue and brand damage has increased.

“Ransomware is more pervasive and impactful than ever, with more organizations forced to suspend operations or experiencing major business failure because of attacks,” said Trevor Dearing, Director of Critical Infrastructure at Illumio. “Organizations need operational resilience and controls like microsegmentation that stop attackers from reaching critical systems. By containing attacks at the point of entry, organizations can protect critical systems and data, and save millions in downtime, lost business, and reputational damage.”

Since 2021 organizations have become more vulnerable to the risks of ransomware because of AI-generated attacks and unrestricted lateral movement in cybersecurity.

AI-generated attacks refer to cyber threats that leverage AI to deceive and compromise individuals, organizations and systems. These attacks are becoming increasingly sophisticated, imitating the language and style of legitimate emails to trick users into letting the ransomware in. Other attacks use AI to improve the ransomware’s performance or automate some aspects of the attack path. Fifty-one percent of respondents say their organizations are highly or extremely concerned that their organizations may experience such an attack.

Lateral movement refers to methods cyber criminals use to explore a compromised network to find vulnerabilities, escalate access privileges and reach their ultimate target. It is called lateral movement because of the way the attacker moves sideways from device to device, a hallmark of most successful ransomware attacks.

According to the findings, since 2021 unpatched systems have become increasingly vulnerable to being exploited by attackers moving laterally. Fifty-two percent of respondents in this year’s research say unpatched systems are targeted for lateral movement, an increase from 33 percent of respondents in 2021. Targeting cached credentials increased from 42 percent of respondents in 2021 to 48 percent of respondents in 2024.

The following findings highlight organizations’ efforts to mitigate ransomware attacks.

Organizations are slow to adopt AI to combat ransomware. Although AI is considered helpful for reducing ransomware attacks by increasing overall SecOps efficiency and detecting ransomware activity within the environment, only 42 percent of respondents say their organizations have specifically adopted AI to help combat ransomware.

Since 2021 more organizations believe their security controls will protect them from ransomware attacks. Confidence in mitigating a variety of ransomware risks has increased significantly, especially with respect to their current security controls (32 percent of respondents in 2021 vs. 54 percent of respondents in 2024). Multi-factor authentication and automated patching/updates are the top two technologies used to combat ransomware, 37 percent and 36 percent of respondents, respectively. Only 27 percent of respondents say their organizations use segmentation/microsegmentation.

Since 2021, more organizations are assigning responsibility for stopping ransomware attacks to one organizational function. Ninety-two percent of respondents say one person or function is most responsible for addressing the threat of ransomware. The most responsible are the CISO (21 percent of respondents) or the CIO/CTO (21 percent of respondents). In 2021, 82 percent of respondents said one person or function was most responsible.

To prevent ransomware attacks, organizations should secure the cloud and endpoints. Forty-nine percent of respondents say the cloud is most vulnerable in a ransomware attack followed by the endpoint, at 45 percent of respondents. Desktops/laptops continue to be the devices most often compromised by criminals.

Phishing continues to be the most common way ransomware is delivered. Phishing and Remote Desktop Protocol (RDP) compromises continue to be the primary methods used to unleash ransomware. Ransomware is typically spread through emails that contain links to malicious web pages or attachments. Infection can also occur when a user visits an infected website and malware is downloaded without the user’s knowledge. RDP is one of the main protocols used for remote desktop sessions.

Insider negligence can delay an effective response to ransomware and increase the negative consequences. To improve prevention and reduce the time it takes to respond, organizations should address negligent user behavior and the lack of security awareness. Training programs should focus on how users can make better decisions about the content they receive through email, what they view or click in social media, how they access the web and other common practices. Because no cybersecurity control can prevent every attack, containment and response strategies ware equally critical.

Forty-four percent of respondents say their organizations are not prepared to quickly identify and contain the ransomware attack. This indicates the importance of having incident response plans, skilled respondents and key controls to stop an attack from spreading.

Ransomware attacks can reduce revenues due to downtime, lost customers and brand damage. Since 2021, organizations that had to shut down to recover from the attack increased from 45 percent to 58 percent in 2024. Respondents that report a loss of significant revenue increased from 22 percent of respondents to 40 percent of respondents.

Since 2021, more organizations are reporting that brand damage was a consequence of the ransomware attack (an increase from 21 percent to 35 percent of respondents). The findings also reveal that recovering from damage to brand can cost organizations the most following a ransomware attack. In 2021, the highest cost was due to legal and regulatory actions.

Part 2. Key findings

In this section of the report, we provide an analysis of the research. Whenever possible, we present the findings from the 2021 study to show three-year trends in ransomware threats and risks.  The complete audited findings are presented in the Appendix of this report. We have organized the report according to the following topics.

• The ransomware security gap
• Anatomy of a ransomware attack
• The response to ransomware demands
• Country differences

The ransomware security gap

Fewer organizations pay the ransom. Since 2021, more respondents say their organizations will never pay the ransom even if it means losing data, an increase from 43 percent of respondents to 51 percent of respondents. In an October 2, 2019 Public Service Announcement (PSA), the FBI urges victims not to pay the ransom. According to the PSA, the payment of the ransom does not guarantee that the exfiltrated data will be returned, as shown in this research. The FBI also warns that paying might embolden attackers to target other victims.

Other trends are the decline in the belief that their organizations are targeted, (54 percent of respondents in 2024 vs 68 percent of respondents in 2021). A little more than half of respondents continue to say prevention of ransomware is a high priority.

To read the rest of this study, visit Illumio’s website. 

 

Are European companies on the brink of another potentially crippling data border dispute with the U.S.? I’ve spent a lot of time in Ireland recently, so I’m acutely sensitive to the possibility.

As tech companies here try to position themselves for Trump 2.0, downstream impacts from the new presidents’ flurry of executive orders and sackings are quickly being digested. But one issue stands out: the ability of US firms to operate with EU data is, once again, threatened.  At worst, the issue could potentially cause EU schools and businesses to stop working immediately with US cloud providers like Google and Amazon, with potentially catastrophic results.

As history shows, that worst-case scenario is likely to be avoided, but yet again, the tenuous nature of international privacy agreements between the U.S. and its largest trading partner has been betrayed.

To review, E.U. citizens enjoy fundamental privacy rights not granted to U.S. citizens, in part because Congress has yet to pass a federal privacy law.  Back in 1998, the EU mandated that data on its citizens cannot be exported outside the nation unless it is treated with EU-level care and its citizens are guaranteed EU-level privacy protections.  This seeming impossible stalemate has never really been permanently resolved, but it has been papered over several times by “agreements.” The first such deal was called “Safe Harbor” back in 2000. It was declared invalid by an EU court in 2015, and then replaced by “Privacy Shield,” declared invalid in 2020.  That was replaced two years later by the Transatlantic Data Privacy Framework, which stands today. Maybe.

This week, new President Donald Trump required all Democrat members of an organization called the Privacy and Civil Liberties Oversight Board to resign, a not-unexpected step. But that leaves the board with only one member, rendering it essentially non-functional. That’s important because the Transatlantic Data Privacy Framework rests on the ability of this “independent” civil liberties board to deal with complaints by EU citizens about data mistreatment.  Legal scholars worry the board’s demise could mean demise of this latest data-sharing agreement.

In reality, the “court” established to hear such EU citizens’ dispute has yet to adjudicate a single case, according to one of its lawyers.  So the Great Atlantic Data Firewall is likely not as immanent as some suggest; we’ve been on this brink many times before.

However, the executive order which President Biden signed initiating the entire Transatlantic Data Privacy Framework is due to be reviewed by the Trump administration within 45 days and it’s easy to see that baby being tossed with the bath water.  Then, real questions about a potential data-sharing wall arising over the Atlantic Ocean could be raised.

Perhaps, as Max Shrems suggests, it’s time to find a more permanent solution to this thorny problem?   The best way to understand all that’s going on is to head over to NOYB.eu and read Schrems’ thoughts on the situation.

 

The purpose of this research is to determine how effective the financial services industry is in managing the certificate lifecycle, PKI and securing the software supply chain. As shown in this research, 62 percent of respondents say their organizations experienced one or more outages or security incidents due to an issue with digital certificates that resulted in diminished service quality or availability. Forty-eight percent of respondents say their organizations have been impacted by one or more software supply chain attacks or exploits in the past year. Some of the adverse consequences included putting customers at risk due to a system compromise and prolonged disruption to operations.

Sponsored by DigiCert, Ponemon Institute surveyed 2,546 IT and IT security practitioners in the United States (507 respondents), the United Kingdom (295 respondents), Canada (272 respondents), DACH (Germany and Switzerland 363 respondents), France (361 respondents), Australia (237 respondents), Japan (252 respondents) and Singapore (259 respondents). Forty eight percent of respondents work in banking and 52 percent are in the insurance industry. All respondents are familiar with their organization’s PKI and involved in certificate lifecycle management (CLM). Ninety-six percent of respondents either have responsibility (47 percent) or share responsibility with others (49 percent) in setting and/or implementing their organizations’ software supply chain security strategy

Conducting inventories to identify every certificate is critical for crypto-agility and becoming quantum-ready. A key takeaway from the research is that more than half of respondents (51 percent) say their organizations are not taking an inventory to identify every certificate within the organization. Similarly, 51 percent of respondents do not know how many digital certificates, including private root or privately signed, their organizations have. Thirty-six percent of respondents agree, the most important feature of a CLM solution is the continuous discovery of public and internal certificates. Another 36 percent of respondents say lifecycle automation using standard and proprietary interfaces is another top two important feature.

The following research findings describe the current state of CLM, PKI and software supply chain security.

• Most organizations are in the dark about their certificate inventory and the kind of certificates they have. As discussed above, a key takeaway from the research is that more than half of respondents (51 percent) say their organizations are not taking an inventory to identify every certificate within the organization. Similarly, 51 percent of respondents do not know how many digital certificates, including private root or privately signed, their organizations have. Without this visibility, organizations are at risk because of unsecured certificates within their organization.
• A CLM solution must support multiple CAs to allow for redundancy and to accommodate the decentralized nature of PKI within enterprises. Thirty-three percent of respondents say support for multiple CAs is one of the most important features when choosing a CLM solution.
• Certificate outages are common mostly due to expirations or revocations, which can be solved by a CLM solution. Sixty-two percent of respondents say their organizations experienced one or more outages due to an issue with digital certificates. These outages were mainly due to expired certificates, revoked certificates and misconfigured certificates. These risks can be mitigated with an automated CLM system which streamlines the process of CLM through a variety of automated workflows done within a single platform.
• The most important feature of PKI solutions is the ability to consolidate management of public CA and private CA certificates. According to respondents, the most important feature when choosing a PKI, is a single vendor for public CA and private CA certificates (46 percent of respondents). Also important is scalability and performance (46 percent of respondents. The PKI technologies most often used are service provider/cloud provider managed private PKI (44 percent of respondents), internal private PKI (42 percent of respondents) and managed PKI service (e.g. SaaS PKI or PKI as a service) (29 percent of respondents)
• Digital certificates are also known as a public key certificate and used to cryptographically verify the ownership of a public key. Digital certificates are for sharing public keys to be used for encryption and authentication. According to the research, the most important use case for digital certificates is user authentication for WiFi, VPN or other network access (59 percent of respondents). Authenticating cloud workloads (55 percent of respondents) indicates progress in modernizing digital certificate security. Another important use case is digital signatures for electronic documents (54 percent of respondents).
• Software supply chain attacks are growing, primarily from security issues with open source software. Forty-eight percent of respondents say their organizations have been impacted by one or more software supply chain attacks in the past year. Most of these attacks were caused by malware, vulnerabilities or other threats in open source software. The two top consequences were customers at risk due to a system compromise and prolonged disruption to operations.

To read the full findings of this report, visit Digicert’s website.