The European Commission enacted its Digital Services Act last November as another step in its efforts to regulate online services and platforms. Most of these regulations take effect next February, but some will require many European businesses — and others that have customers on the continent — to meet the first deadlines next week. Once again, Europe is moving further ahead of the U.S. in terms of privacy protection and forcing online businesses to be more transparent. This began with the General Data Protection Regulation five years ago and continues with the implementation of the DSA. More about this set of new regs in my latest post for SiliconANGLE here.

Two new analysis blogs for SiliconANGLE this week:

1. Preventing MFA Fatigue.There is a new wave of infections spreading throughout the world that has nothing to do with COVID or, for that matter, any other physical disease. Called multifactor authentication fatigue, it’s highly contagious and spreads through the deception of determined hackers who want to steal users’ account details. But here is the irony: The more MFA a company uses, the greater the chance that a potential MFA fatigue attack will succeed.
2. Codesys IoT vulnerability discoveredMicrosoft security researcher Vladimir Tokarev demonstrated an interesting attack on the industrial internet of things automation software called Codesys. Tokarev, who showed the exploit last week at the annual BlackHat security conference in Las Vegas, used a miniature elevator model to demonstrate how the attack could crash its cab. The software – and more importantly, its software development kit — is widely used in millions of programmable logic controller or PLC chips that run everything from traffic lights and water treatment plants to commercial building operations automation and energy pipelines.

Two new reports on phishing trends show a rise in attacks, and they’re taking more complex paths through the internet to connect victims with malware-laced websites. The trends are highlighted in Cloudflare Inc.’s annual phishing trends report released today, as well as the latest compendium of phishing trends by the Interisle Consulting Group. I go into details about both of them, and what the implications are for defenders and users, in my latest analysis for SiliconANGLE.

The names Downfall, Inception, Meltdown and Spectre might evoke the names of Bond villains, but they describe something almost as insidious: They are all central processing unit-based security vulnerabilities that have been uncovered in the past several years.

Each of them — the first two most recently and the last two harking back to 2018 — involves very specific attacks on hardware-level commands of various chips made or designed by Intel Corp., Arm Ltd. and Advanced Micro Devices Inc. All have required or will require patching with operating system updates and chip firmware updates. My story for SiliconANGLE goes into the details of each one and how they can be mitigated.

I have been busy writing for them this week, and since there is Black Hat and DEFCON in Vegas, there is a lot of news to share. Here is a recap of what I have posted.

• F5 announces new mobile app security protection
• Two new cybercrime takedowns show the global nature of these criminals and the effort involved in bringing them to justice.
• Google has promised its latest Android v.14 mobile OS will have some new security features. That is the good news. It will take time to percolate throughout their ecosystem, it is just for enterprise users, and you’ll probably need a new phone.
• The EvilProxy malware construction kit makes it easier for phishing attackers to ply their trade, and there has been a rise in such attacks according to Proofpoint telemetry. I do cite an interesting case of how Discuss (the vendor behind the popular software tool) took these MFA bypass threats to heart and spent the last year or so upgrading its authentication to using Yubico FIDO2 hardware keys.
• A new report examining the results of millions of threat simulations using Picus tools found there is plenty of room for improvement — not surprising. But the comparative analysis is worth reading in my post. 
• If you think you are safe from your keystrokes being stolen, this article that shows the sound of your typing can be used to re-create your text under some extreme circumstances.
• CISA has issued warnings about malicious boot loaders taking control over UEFI firmware. Sadly, getting to the root of the problem (sorry) isn’t going to be easy.
• Finally, last week I wrote a nice analysis piece about the progress of payment tech. There has been a lot of progress since I first started covering this market sector back in the 1990s.

A new, unpatched exploit called PhishForce that involves a sophisticated email phishing campaign has been discovered by security researchers at Guardio Labs. The targets are Salesforce Inc. customers, and the threat involves spoofing the company’s email servers and domain names. The process of finding and fixing the issue reveals a lot about how security teams can work together to fight phishing. My post for SiliconANGLE is here.

– 

The foundational Domain Name System, essentially the phone book for the internet, used to be something nobody using the net much noticed, but lately it has become more of a target, and the cost of attacks against it are huge and growing.

Recent events have once again brought issues involving the DNS, as it’s called for short, to the forefront.

One reason has to do with the expansion of the internet. There are more targets, more bandwidth and more automated tools to launch attacks, making it easier for the bad guys to cast a wider net with more destructive power.

I explore the role of DNS, the collection of various attacks, and the role this protocol plays in my latest story for SiliconANGLE here.