BinDiff is a binary file comparison tool to find differences and similarities in disassembled code quickly. It was made open source today. With BinDiff, you can identify and isolate fixes for vulnerabilities in vendor-supplied patches. You can also port symbols and comments between disassemblies of multiple versions of the same binary or use BinDiff to gather evidence for code theft or patent infringement. Use cases Compare binary files for x86, MIPS, ARM, PowerPC, and other … More →

The post BinDiff: Open-source comparison tool for binary files appeared first on Help Net Security.

from Help Net Security https://ift.tt/AZaX4YW

Security processes are increasingly automated which has led some businesses to deprioritize developing their security teams’ defense skills. While antivirus and non-human generated threat detections efficiently identify vulnerabilities, they cannot detect every single threat.

With the rising number of cyber-attacks, organizations must make sure they are ready to defend themselves. That means equipping cybersecurity teams with sufficient skills to identify and effectively stop an attack in its tracks. Worryingly, only 17% of tech workers are completely confident in their cybersecurity skills, while 21% have no confidence at all. Given that 74% of data breaches are caused by human error, it is crucial that upskilling practices are in place.

One of the best ways to develop the necessary skills is through hands-on learning which allows employees to practice in a low-risk environment and better understand the methods used by cyber-attackers. This kind of experience is vital for security teams to be able to anticipate threats and capably protect the business.

The importance of testing security teams’ skills

Automated defense technologies are highly effective for commodity threats – those which are based on programs that are readily available and require no customization to launch an attack. But integrating AI/ML capabilities into security operations can generate a false sense of security. Attackers can still create the exact same program with millions of different file hashes or apply human ingenuity to evade known defenses.

Anti-virus is built on a massive signature-database-shaped house of cards that easily crumbles by changing text within programs. The same applies for network signatures, endpoint detection and response. There are certain behaviors that traditional defense technologies focus on, but ultimately, malware is just software. The more it can blend into common software activity, the less likely it is that an attack will be detected. And this is easier than it seems.

Security teams need easily replicable techniques to emulate threat scenarios to test their defense skills against the skill level of cyber-attackers. Testing is how businesses find out the cybersecurity teams’ skill level without waiting for a breach.

At least yearly, there should be a full red team assessment; the red team is made up of offensive security professionals whose role is to exploit the company’s vulnerabilities and overcome cybersecurity controls. But given attackers always operate in real time, there should be a weekly exercise for individual tactics, techniques and procedures (TTPs).

Start with the basics

Even the most advanced cyberattacks leverage basic techniques that have been around for years. Businesses need to focus on fully leveraging the tools they have to detect even the most basic of techniques and then move their way up to more advanced techniques from there. That will remove the most common threat from the equation first. This allows them time to identify and build the expertise and infrastructure required to be mature enough to defend against the most advanced or dangerous threats.

Anticipate the risk by using threat simulation learning models

One example of such an exercise is a blue team friendly attack simulation. The blue team here refers to security experts who are aware of the organization’s objectives and security strategy and are trying to defend and respond to attacks performed by the red team. One group poses as the opposing force, or in this case, cyber criminals, while testing the ability of the defenders to detect and protect against such attacks.

However, these types of simulations are performed on extensive cyber ranges that take a lot of time and effort to create, and don’t always accurately reflect the enterprise environment. In addition, it requires security teams to take several days off to play through the exercise. The quality of these simulations depends on the team that developed it and the complexity of the available cyber range resources. The rapid evolution of threats means that the work cyber teams do can have a short shelf life, as does the ability to properly prepare defenders.

Defenders need to be able to rapidly test against new tactics and techniques in their everyday environment. This allows them to quickly check the efficacy of their monitoring tools, as well as their people and processes, on an ongoing basis, that is accurate to current threats. This is important to the concept of ‘becoming the threat’. What cybersecurity teams really need is the ability to test individual tactics in their organization’s live environment, without the overhead of a full red team exercise.

Hone skills and build confidence through hands-on learning

Simulations are a good way to understand how to best defend and respond against different attacks and determine whether employees need to upskill. At its basic level, if the blue team wins, they can be confident when it comes to a cybersecurity threat. But if they lose, the organization still has work to improve their defense strategy.

When simulating various TTPs, you can categories them two ways. First by level of expertise required to perform the specific attack. Second, by the area, or type of data in which the attack should be detected.

The concept of defense in depth is that even if you miss one component of an attack, you can ideally catch others so that you can prevent the attackers achieving their goal. Measurement is based on the time it takes for a team to detect and respond to a particular TTP once launched, by category of the technique. Skill, process, and technology gaps can then be mapped by identifying where response times were low, or there was no response time at all.

Up to date skills central to staying ahead of the hackers

Cyber teams play a constant cat and mouse game to keep up with the evolving threat landscape. However, organizations can adopt specific practices to ensure teams have built in skills to defend against cyber-attacks and protect the business.

Providing employees with first-hand experiences of how a cyber-attack plays out can break down the barrier between the defender and the attacker to better understand the threat and anticipate the risks. This type of learning pathway is crucial for an organization who needs to know how well equipped their teams are for when a cyber-attack inevitably occurs. Only then can decisions be made to fill skills gaps with additional training or if their current level of expertise is enough to protect the business.

When it comes to cyber-attacks, security teams must act extremely quickly to minimize the impact in stressful environments. Hands-on threat simulations will arm cybersecurity experts with the skills and confidence necessary to react to a cyber-attack calmly and efficiently, whilst protecting the company’s sensitive data and avoiding costly damages.

from Help Net Security https://ift.tt/6LAf3Fy

In this Help Net Security interview, Evelyn de Souza, Head of Privacy Compliance, Oracle SaaS Cloud, talks about the constant efforts required to keep up with privacy laws in each country, and ensuring compliance across the entire organization.

She also discusses the main challenges in implementing consistent privacy policies across various departments and regions and how to address them.

The views and ideas expressed within the content are solely the author’s and not of any affiliated company.

The data privacy landscape is complicated and constantly evolving, especially for enterprises operating in multiple countries. How do you keep up with the privacy laws in each country and ensure compliance across the entire organization?

Keeping up with privacy laws in each country is a constant effort. Fortunately, there are resources such as the IAPP regulation trackers that can ease this burden. While many of today’s privacy regulations may have a “GDPR-esque” flavor, the differences between regulations are becoming increasingly more nuanced, for example, one U.S. state privacy regulation requires an opt in, another focuses on opt-outs. What constitutes sensitive data under one privacy regulation might not be under another.

Despite these nuances, where possible I recommend mapping to a harmonized framework for the common articles and controls as that can minimize duplicative efforts and then as a second step, factoring the differences in regulation into your privacy framework.

What are the main challenges in implementing consistent privacy policies across various departments and regions? How do you address these challenges?

Implementing consistent privacy policies across various departments and regions can be challenging especially for smaller organizations that may not have the resources to keep up with the increasing patchwork of privacy regulations and the sometimes-unpredictable cadence of regulation updates.

In addition to establishing a robust privacy framework, per the response to the previous question which helps ensure a more consistent approach, another way to address the challenge is to think of the key contexts and use cases across your organization. By writing privacy policies in simple language so that stakeholders can easily digest them and tailoring to the specific use cases that may apply across the various departments in your organization, helps privacy policies become more relatable and memorable.

Considering recent calls for stricter data protection regulation, how effective do you think corporate self-regulation has been in protecting customer data?

I see both pros and cons of self-regulation. Self-regulation can be effective in enabling organizations to adopt privacy standards that meld well with their overall ethical posture and that involve diverse stakeholders to arrive at a balanced privacy posture. It can also encourage friendly competition between organizations looking to leverage this as a brand differentiator.

On the other hand, self-regulation can produce inconsistency. Without explicit endorsement by a government or a regulating agency, there might be “regulation uncertainty” and this could cause some organizations to delay their investments in privacy.

The idea of ‘less is more’ seems important in data collection. How do you determine which data is essential for analytics and business objectives?

Determining which data is essential for analytics and business objectives really depends on the goals of the organization and the initiative. Start by defining your objectives and performance indicators and then identify the data sources and data points that map directly to those objective and performance indicators.

From an initiative standpoint, different initiatives require different data sets. For example, data from market research, industry reports and competitor analysis could provide insights into consumer behavior trends while customer reviews and surveys may be needed for initiatives involving customer satisfaction.

Regularly review your data requirements to ensure your initiatives remain aligned with business goals, objectives and performance indicators.

How do you balance the need for robust data analytics and customer personalization with the ethical and legal responsibilities of data privacy?

Some of the strategies for balancing the need for personalized data analytics against ethical and legal data privacy responsibilities include:

• Data minimization: As per the previous response, avoid collecting excessive data that could pose a privacy risk and only collect and use that which is specific to the business objective.
• Transparency: Be transparent in your policies about what is collected, how it’s collected and how it will be used. Ensure explicit consent from your end users.
• Strong data governance: Ensure strong oversight in areas not only such as data security, but also privacy by design, customer education, audits and reviews to enable data privacy posture to constantly evolve.

The balance between customer analytics and privacy is a delicate one that requires an ongoing commitment to fostering a culture of privacy and respect for data and end users within your organization.

With the development of AI and machine learning technologies, what are the future challenges and opportunities for privacy compliance?

As AI and machine learning technologies continue to evolve, the challenges include ethical, considerations, bias and legal compliance to name a few but the opportunities are also significant. AI can be used to enhance data protection such as anomaly and threat prediction to potentially reduce the chance for data breaches. It can be used to automate some aspects of compliance and compliance reporting.

Additionally, techniques such as differential privacy and secure multi party computation could be applied in some arenas to enhance privacy.

Are there any emerging technologies that will revolutionize how we approach data privacy and compliance?

There are several emerging technologies that that have the potential to enhance security, transparency and control over personal data.

Two that come to top of mind, but that are not without challenges, are:

• Homomorphic encryption: This technology can make it possible to perform analytics on encrypted data without exposing sensitive information.
• Blockchain and distributed ledger technology: could be used to enhance data integrity, manage consent and manage audit trails for privacy compliance.

These aren’t the only technologies and it’s essential to consider the specific needs and regulatory requirements of your organization when adopting emerging technologies to ensure they align with your privacy and compliance goals.

from Help Net Security https://ift.tt/0tUriFf

Changing approaches to cybersecurity have led to slow but steady progress in defense and protection. Still, competing interests create a growing challenge for cybersecurity decision makers and practitioners, according to CompTIA.

The state of cybersecurity

Most business and technology professionals feel that cybersecurity is improving, both generally and within their organizations. They also acknowledge that the stakes have grown dramatically, with the number of cybercriminals and threats skyrocketing. At the same time, companies are capturing far more data, creating new privacy implications for customers and operational risk for their internal workflows.

“Even small gains in satisfaction are welcome, but there is plenty of room for improvement,” said Seth Robinson, VP, industry research, CompTIA. “Businesses have begun to consider cybersecurity as a critical function. The next stage requires a multi-faceted approach of processes, policies, people and products.”

Organizations are responding on each of these fronts. Generative AI is viewed as a tool that can help manage the growing complexity of cybersecurity. There is a heightened commitment to workforce education, including training for all staff and support for certification for technical professionals. Risk management and zero trust practices are gaining a larger footprint.

The challenge becomes even greater as organizations go through digital transformation and tie technology initiatives more closely to business success, according to Robinson.

“Excessive cybersecurity measures can hinder overall progress, but if measures are too relaxed, it can lead to serious incidents, resulting in potentially greater negative impacts,” he explained. “This balancing act is a full-time job. With technology trends evolving and attack patterns changing, true equilibrium may be impossible to achieve.”

Threat focus areas for organizations include malware, cited by 40% of U.S. respondents, ransomware (33%), firmware hacking (31%), IoT-based attacks (31%), hardware-based attacks (31%) and phishing (30%). The potential damage from an attack can be catastrophic. Among U.S. respondents, cybersecurity incidents had a severe impact at 22% of organizations, and a moderate impact at 43%.

Four critical variables in cybersecurity balancing

CompTIA believes there are four critical variables that must be considered in balancing the cybersecurity equation. The report identifies trends to watch in 2024 in these areas.

Product: Companies see a wide range of likely uses for generative AI in cybersecurity over the next two to three years.

• Monitoring network traffic and detecting malware (53%)
• Analyzing user behavior patterns (50%)
• Automating response to cybersecurity incidents (48%)
• Automating configuration of cybersecurity infrastructure (45%)
• Predicting areas where future breaches may occur (45%)
• Generating tests of cybersecurity defenses (45%)

People: By a slim margin, the top challenge facing organizations is a cybersecurity skill gap. To narrow the gap, 50% of U.S. organizations use internal training to improve cybersecurity skills, with 43% are helping employees pursue certifications to validate their knowledge.

Policy: Risk management is becoming the primary method for assessing the connection between cybersecurity efforts and business operations. Just over half of U.S. firms take a leading approach to identify and manage risks and related spending. Nearly 30% assess risks but do not use a formal risk management framework.

Process: Building cybersecurity processes and integrating cybersecurity into business workflows drives many functional decisions, from evaluating new technologies, to governance, risk and compliance, to workforce education. The general intent of any process, whether direct or indirect, is to align with the principles of a zero trust framework. Although only 28% of firms identify a zero trust framework as part of their strategy, more organizations are following individual practices commonly included in a zero trust approach.

from Help Net Security https://ift.tt/IrjbGyL

The cost of an insider risk is the highest it’s ever been, as organizations spend more time than ever trying to contain insider incidents, according to DTEX Systems.

The average annual cost of an insider risk has increased to $16.2 million – a 40% increase over four years. Meanwhile, the average number of days to contain an insider incident has increased to 86 days.

In addition to analyzing the costs incurred when an organization experiences an insider security incident, this year’s study includes first-time insights into how organizations are funding insider risk programs. The findings show that 46% of organizations plan to increase their investment in insider risk programs in 2024. The study also found that 77% of organizations plan to start an insider risk program.

“We are encouraged that organizations plan to increase investments in insider risk programs because it’s required by customers and new industry regulations – not just because of previous incidents. This is a significant change that portends long-overdue attention and prioritization,” said DTEX Systems CTO Rajan Koo.

Inadequate investment in insider risk management

The momentum around insider risk management comes amid soaring costs, frequency, and time to contain insider-related security incidents. According to research analyst Gartner, insider risk management refers to “the tools and capabilities to measure, detect, and contain undesirable behavior of trusted accounts within the organization.”

Despite the growing cost of insider risks, 88% of organizations spent less than 10% of their total IT security budget on insider risk management. Organizations had an IT security budget of $2,437 per employee, yet only 8.2% (equivalent to $200 per employee) was allocated specifically to insider risk programs and policies.

The remaining 91.8% of IT security budget was spent on external threats, despite more than half of organizations attributing social engineering as a leading cause of all outside attacks.

Koo said the findings show that budgets are being wasted on reactive “symptom management” despite growing evidence that the root cause starts within. “The findings demonstrate that the human, manifested as an insider risk, is the leading cause of all data breaches – including the socially engineered,” he said. “This highlights a widespread misunderstanding of the types of insider risks and the failure to proactively protect customer data and IP.”

Dr. Larry Ponemon, chairman of the Ponemon Institute commented: “Our goal in conducting this research is to create awareness of the significant costs incurred when employees are negligent, outsmarted or malicious in the handling of an organization’s sensitive data. We believe this study is unique because it analyzes the costs based on the type of insider, the time it takes to contain the incident and the technologies that are most effective in reducing the costs. Such information is beneficial in creating a strategy to deal more effectively with the insider risk while reducing the costs.”

Insider risk program funding set to increase

The average annual cost of an insider risk has risen 40% over four years to $16.2 million – up from $15.4 million in 2022. The average number of days to contain an insider incident in 2023 has increased to 86 days. The longer it takes to respond, the higher the cost ($18.33 million for incidents that take more than 91 days to contain).

Organizations had an average IT security budget of $2,437 per employee, yet only 8.2% (equivalent to $200 per employee) was allocated specifically to insider risk management programs and policies.

Only 10% of insider risk management budget (averaging $63,383 per incident) was spent on pre-incident activities: $33,596 on monitoring and surveillance, and $29,787 on ex-post analysis (this includes activities to minimize potential future insider incidents and steps taken to communicate recommendations with key stakeholders).

The remaining 90% (averaging $565,363 per incident) was spent on post-incident activity cost centers: $179,209 on containment, $125,221 on remediation, $117,504 on investigation, $113,635 on incident response, and $29,794 on escalation.

Despite the fact that most organizations allocate an average of 8.2% of their IT security budgets to insider risk programs, 58% view current spending as inadequate and 46% expect funding to increase in the next year. 77% of organizations have started or are planning to start an insider risk program.

Non-malicious insiders cause most insider incidents

75% of respondents said the most likely cause of insider risk is non-malicious: a negligent or mistaken insider (55%) or an outsmarted insider who was exploited by an external attack or adversary (20%).

53% of organizations said social engineering (including phishing, pretexting and business email compromise) was a leading cause of non-insider or external attacks.

The average activity cost for financial services is $20.68 million and services (including accountancy, consultancy and professional services firms) is $19.09 million.

Among organizations that have or plan to have a dedicated insider risk program, 52% report that top-down support and championing of the program (e.g., an insider risk steering committee) is a key feature. 51% have a dedicated cross-functional team from legal, human resources, line of business and IT security.

One-third of organizations view artificial intelligence and machine learning as essential to the prevention, investigation, escalation, containment and remediation of insider incidents, while 31% view it as very important.

from Help Net Security https://ift.tt/JEzdg3U

If you’re looking for the Connections answer for Monday, September 25, 2023, read on—I’ll share some clues, tips, and strategies, and finally the solutions to all four categories. Beware, there are spoilers below for September 25, NYT Connections #106! Scroll to the end if you want some hints (and then the answer) to today’s Connections game.

By the way, if you want an easy way to come back to our Connections hints every day, bookmark this page. You can also find our past hints there as well, in case you want to know what you missed in a previous puzzle.

How to play Connections

I have a full guide to playing Connections, but here’s a refresher on the rules:

First, find the Connections game either on the New York Times website or in their Crossword app. You’ll see a game board with 16 tiles, each with one word or phrase. Your job is to select a group of four tiles that have something in common. Often they are all the same type of thing (for example: RAIN, SLEET, HAIL, and SNOW are all types of wet weather) but sometimes there is wordplay involved (for example, BUCKET, GUEST, TOP TEN, and WISH are all types of lists: bucket list, guest list, and so on).

Select four items and hit the Submit button. If you guessed correctly, the category and color will be revealed. (Yellow is easiest, followed by green, then blue, then purple.) If your guess was incorrect, you’ll get a chance to try again.

You win when you’ve correctly identified all four groups. But if you make four mistakes before you finish, the game ends and the answers are revealed.

How to win Connections

The most important thing to know to win Connections is that the groupings are designed to be tricky. Expect to see overlapping groups. For example, one puzzle seemed to include six breakfast foods: BACON, EGG, PANCAKE, OMELET, WAFFLE, and CEREAL. But BACON turned out to be part of a group of painters along with CLOSE, MUNCH, and WHISTLER, and EGG was in a group of things that come by the dozen (along with JUROR, ROSE, and MONTH). So don’t hit “submit” until you’ve confirmed that your group of four contains only those four things.

If you’re stuck, another strategy is to look at the words that seem to have no connection to the others. If all that comes to mind when you see WHISTLER is the painting nicknamed “Whistler’s Mother,” you might be on to something. When I solved that one, I ended up googling whether there was a painter named Close, because Close didn’t fit any of the obvious themes, either.

Another way to win when you’re stuck is, obviously, to read a few helpful hints. Below, I’ll give you some oblique hints at today’s Connections answers. And further down the page, I’ll reveal the themes and the answers. Scroll slowly and take just the hints you need!

---

Does today’s Connections game require any special knowledge?

There are a few proper names that it would be helpful to recognize, and some oblique references to social media.

Hints for the themes in today’s Connections puzzle

Here are some spoiler-free hints for the groupings in today’s Connections:

• Yellow category - Your big day!
• Green category - Completely cased, cowled, and capped.
• Blue category - We’re missing a Skellington and a Sprat.
• Purple category - This is not what’s usually meant by last names...

Does today’s Connections game involve any wordplay?

There’s a category whose answers are incomplete—you’ll need to add something (different) to each of the words on the tiles to get the full words. Unlike a fill-in-the-blank, the thing you need to add is different for each of the four.

Ready to hear the answers? Keep scrolling if you want a little more help.

---

BEWARE: Spoilers follow for today’s Connections puzzle!

We’re about to give away some of the answers. Scroll slowly if you don’t want the whole thing spoiled. (The full solution is a bit further down.)

What are the ambiguous words in today’s Connections?

• MA can be a mother or grandmother, or a surname, as in cellist Yo-Yo Ma or business magnate Jack Ma.
• GRAM can be a measure of mass, or a bean or lentil. Gram flour usually refers to flour made from chickpeas, but note that this is spelled differently from Graham crackers. You also might call your grandmother your Gram. In any case, none of that will help you here. I can’t say what this is without giving away the category.
• A TRAIN refers metaphorically to any long tail, like the trailing fabric of a formal dress, or a series of cars pulled behind a locomotive. (Real Thomas the Tank Engine-heads will recall that not only is Thomas not a train—he is an engine, which is the British word for locomotive—there is a whole story in which he gets his first train. Before that, his job was moving cars around the railyard.)
• IN is a word that doesn’t do much by itself. That’s your last hint, okay? There are no synonyms for IN on this board.

What are the categories in today’s Connections?

• Yellow: BRIDAL ACCESSORIES
• Green: “C” WORDS FOR “ENVELOP”
• Blue: JACKS
• Purple: SOCIAL MEDIA APP ENDINGS

DOUBLE BEWARE: THE SOLUTION IS BELOW

Ready to learn the answers to today’s Connections puzzle? I give them all away below.

What are the yellow words in today’s Connections?

The yellow grouping is considered to be the most straightforward. The theme for today’s yellow group is BRIDAL ACCESSORIES and the words are: BOUQUET, RING, TRAIN, VEIL.

What are the green words in today’s Connections?

The green grouping is supposed to be the second-easiest. The theme for today’s green category is “C” WORDS FOR “ENVELOP” and the words are: CAKE, COAT, COVER, CRUST.

What are the blue words in today’s Connections?

The blue grouping is the second-hardest. The theme for today’s blue category is JACKS and the words are: BLACK, FROST, MA, SPARROW.

What are the purple words in today’s Connections?

The purple grouping is considered to be the hardest. The theme for today’s purple category is SOCIAL MEDIA APP ENDINGS and the words are: BOOK, GRAM, IN, TUBE. (FaceBOOK, InstaGRAM, LinkedIN, YouTUBE.)

How I solved today’s Connections

Forget the wedding words, what’s up with SPARROW? No birds around, so it must be the pirate. Jack BLACK, Jack FROST, yes we’re getting somewhere! Jack MA? Yes, for some reason. That’s one fictional character, one actor, one metaphorical (maybe we could generously say mythical) and one...Alibaba founder?

COAT, COVER, CRUST, and VEIL stood out to me as coverings, but that was “one away.” So I went a different direction, and puzzled over GRAM a bit. There were no other measuring units, or alternative flours, and it’s not spelled like the cracker. All that was left was “the ’gram,” as in Instagram, and then I recognized the other partial names of social media networks: YouTUBE, FaceBOOK, and—with a little imagination—LinkedIN.

There were still too many wedding words to pin down a group, but then I thought of putting CAKE with the coatings. That was it, and I finally had my wedding words—BRIDAL ACCESSORIES, it turns out.

Connections 
Puzzle #106
🟦🟦🟦🟦
🟩🟩🟨🟩
🟪🟪🟪🟪
🟩🟩🟩🟩
🟨🟨🟨🟨

from Lifehacker https://ift.tt/7heYPUz

When it comes to the housing market in the United States, there’s a widening gap between conventional wisdom and real estate reality. Take so-called “starter homes,” for example.

In postwar suburban America, the term was used to describe smaller homes that younger people could afford to purchase and live in as they were getting their lives—and their families—established, before buying and settling down somewhere more spacious.

There are plenty of people out there who believe that “starter homes,” as originally conceived, still exist. But for so many would-be first-time homebuyers in 2023, they’re a fantasy, not a reality in most parts of the country. In fact, a new report from Realtor.com found that renting a starter home is cheaper than buying one in all but three major metropolitan areas in the U.S. Here’s what to know.

Why traditional ‘starter homes’ are expensive and in short supply

Many people assume that compact one- and two-bedroom homes are still accessible to those at the beginning of their careers, but they’re no longer the affordable option they once were. There are a few reasons for this.

First, there’s the issue of financing. Mortgage rates are currently higher than they’ve been in more than 22 years, according to Bankrate. That alone makes it harder to afford a home, but having to compete against other buyers who are able to pay cash is even worse.

According to a July 28, 2023 tweet from Redfin, 37% of U.S. starter homes were purchased in cash in May. “That’s in part because real estate investors are buying up a sizable chunk of today’s affordable homes,” the tweet reads. So, as an article from The Ascent points out, this means first-time homebuyers have to compete against investors with deep pockets who are looking for houses to rent or flip.

And while there’s clearly a demand for these smaller, more affordable homes, they’re in short supply. In July 2023, total housing inventory was down 13.6% from the previous year, according to data from the National Association of Realtors (NAR).

“There are simply not enough homes for sale,” NAR Chief Economist Lawrence Yun said in a statement. “The market can easily absorb a doubling of inventory.”

And we’re unlikely to see housing costs to drop anytime soon. NAR expects housing prices to increase by 2.6% in 2024, while Zillow predicts that home values will increase 4.9% over the course of the next year.

from Lifehacker https://ift.tt/zbiq9vw