The private equity firm snapped up the company in a cash transaction that values Sophos at $3.9bn. Under the terms of the agreement, Sophos stockholders will receive $7.40 USD per share.
The acquisition offer was first announced on October 14, 2019. Stockholders voted to approve the transaction on December 3, 2019.
Sophos was founded by Jan Hruska and Peter Lammer and began producing its first antivirus and encryption products in 1985. Today the company serves more than 400,000 organizations in over 150 countries from its headquarters in Abingdon, Oxfordshire.
The company currently partners with more than 53,000 resellers and managed service providers to protect over 420,000 organizations and 100 million global users from advanced cyber-threats.
Sophos CEO Kris Hagerman said: "Sophos is excited to work with Thoma Bravo as we begin our next chapter of growth and success, continuing in our mission to deliver the world’s most effective next-generation cybersecurity technology."
Hagerman predicted that partnering with Thoma Bravo would speed up Sophos' journey to becoming a leader in next-gen cybersecurity—a journey that he says is well under way.
"Our transition to become a fully next-gen cybersecurity leader continues to rapidly progress. Last quarter, our next-gen product portfolio represented over 60% of our entire business and grew 44% year-over-year. And very recently, we launched our most significant network security technology ever, the Sophos XG Firewall with Xstream architecture," said Hagerman.
"With Thoma Bravo as a partner, we believe we can accelerate our progress and get to the future even faster, with dramatic benefits for our customers, our partners and our company as a whole."
Forty-year-old firm Thoma Bravo has been operating an investment strategy of buy-and-build in the software and technology industries for nearly 20 years, acquiring more than 200 companies representing over $500bn of value.
"Sophos has been constantly raising the bar with its industry-leading synchronized security, advanced deep learning technology and rapid growth within the MSP (managed service provider) channel," said Seth Boro, a managing partner at Thoma Bravo.
"We are excited to partner with Sophos to help build upon their success as they further drive innovation in cybersecurity."
The personal data of 10,000 UK rail passengers has been exposed after a Wi-fi provider left a database unsecured online.
C3UK provides passengers with free Wi-fi at railway stations across the UK. The company admitted failing to secure a database containing user information when contacted by the British Broadcasting Corporation's news team.
The data breach was discovered by security researcher Jeremiah Fowler, who stumbled across the C3UK database while carrying out research online for Security Discovery. Fowler said the database contained 146 million records, including dates of birth, email addresses, and travel plans.
Shockingly, the database was stored on an Amazon Web Services storage device that was not protected by a password and could therefore be viewed by anyone.
Passengers affected by the breach include those who have used free Wi-fi services at Harlow Mill, Chelmsford, Colchester, Waltham Cross, Burnham, Norwich, and London Bridge. The database had been created between November 28, 2019, and February 12, 2020.
Fowler sent evidence of his discovery to C3UK on Valentine's Day, 2020. When he didn't receive an immediate response, the researcher sent two follow-up emails over the next six days, warning the company of the data breach.
"When you see that information, you are racing against the clock to get it closed down," said Fowler.
C3UK said that the unsecured database, which it described as a back-up copy, was secured as soon as they were made aware of the breach.
The company downplayed the seriousness of the breach, stating: "Given the database did not contain any passwords or other critical data such as financial information, this was identified as a low-risk potential vulnerability."
C3UK said that an internal investigation into the cybersecurity incident indicated that the mistake had been caught and rectified before any data had wound up in the hands of bad actors.
"To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available," it said.
After finding no evidence that the data had been accessed or exfiltrated by other parties, C3UK elected not to report the data breach to the regulatory body, the Information Commissioner's Office (ICO).
The C3UK breach was confirmed by Network Rail, which said it had "strongly suggested" to the company that they report the incident to the ICO.
The volume of HMRC phishing emails reported by the public has fallen sharply over the past two years, as those related to SMS- and phone-based scams increased, according to a new Freedom of Information (FOI) request.
UK-based Griffin Law obtained the figures from the UK tax office related to the latter's suspicious email referral service. As such, it doesn’t provide a full picture of the scale of the phishing threat facing taxpayers, but does give useful insight into general trends.
From January 1 2018 to December 31 2019 there were a total of over 1.5 million reported scams. Although the vast majority (77%) of attacks came via email, the volume actually dropped by 60% between 2018 and 2019.
At the same time, the volume of smishing reports increased by 56% to reach 57, 579 while the number of phone scams reported by the public jumped by a staggering 234% to reach 195, 720 in 2019.
That could partly be explained by greater public awareness of such scams, but also seems to show an increasing willingness on the part of fraudsters to use different communications methods to trick taxpayers.
“It’s no surprise that cyber-criminals see impersonating HMRC through fraudulent phishing schemes as an easy route to securing cash pay-outs from unsuspecting victims. What’s most disturbing about these figures is the sophisticated multi-channel approach being used across calls, texts and emails to dupe individuals into assuming these interactions are a legitimate communication from the taxman,” argued Barracuda Networks SVP, Chris Ross.
“Moving forward, it’s vital that there is much more public awareness about how advanced and prevalent these phishing schemes have become. It’s also important to recognize the lengths these criminals will go to trick entrepreneurs, finance workers and vulnerable or elderly people into handing over PIN codes or transferring money to false accounts.”
A report from last June claimed that the HMRC had received over 2.6 million phishing reports from the public since the 2016-17 financial year.
Backed by the National Cyber Security Centre (NCSC) the tax office has been taking strides to improve resilience against such attacks.
Thanks to switching on DMARC with the strongest p=reject policy it’s said to have blocked hundreds of millions of phishing scams, while a report in 2018 claimed it had been able to deactivate tens of thousands of phishing sites.
The UK parliament has invoked the spirit of Guy Fawkes in a bid to improve cybersecurity awareness among lawmakers.
A reported newsletter update sent to members of the House of Lords warned that the infamous Gunpowder Plot to blow up parliament on November 5 1605 has a modern-day equivalent in cyber-criminal activity.
“These days, every day is November 5. Cyber-criminals are a persistent and increasing threat to our parliament and those that work in it — we are under cyber-attack every minute of every day,” it claimed.
“Anyone that works on parliament’s network is [a] potential target for cyber-attacks. To protect parliament and yourself from these attacks, everyone must play their part.”
While attacks happen every day, few are reported to succeed. Most notable in recent years was a brute-force attack in 2017 that managed to compromise around 1% of around 9000 parliamentary email accounts. It was subsequently blamed on state-sponsored attackers from Iran.
MPs subsequently received follow-on vishing calls from hackers pretending to work for the Parliamentary Digital Service trying to trick users into handing over their log-ins.
Parliamentary email holders were sent nearly 21 million spam messages in 2018-19 financial year but internal security systems blocked them before they reached the inboxes of MPs, Lords and their staffers.
Spam can also come from unexpected places: in 2016 the speaker John Bercow was forced to intervene after MPs complained of being bombarded by emails from Donald Trump’s election team.
Bercow described it as an “exceptionally tedious experience.”
The Home Office breached the GDPR 100 times in its handling of EU citizens’ data in the space of just five months, an inspector’s report has revealed.
Between March 30 and August 31 2019 the government department admitted a catalog of errors including misplaced passports, documents sent to the wrong recipient’s address and unauthorized disclosure, according to the Independent Chief Inspectorate of Borders and Immigration (ICIBI)
The report is the second to focus on the controversial EU Settlement Scheme (EUSS), which EU citizens must apply to if they want to remain in the UK post-Brexit. The EUSS launched at the end of March.
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
Aside from the 23 documents misplaced by a postal company in July, the worst incident came in April, when 240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email.
That incident happened just days after a similar privacy snafu in which the Home Office exposed the details of 500 applicants to the Windrush compensation scheme — itself set up after the mistreatment of Commonwealth citizens by the Conservative government.
At the EUSS, important ID documents were misplaced inside the EUSS office on multiple occasions and sometimes returned to the wrong address, according to the report.
The Home Office claimed it is getting better at data protection.
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
A Chinese scientist convicted of stealing trade secrets worth $1bn from an Oklahoma petroleum company has been jailed in the United States.
Hongjin Tan was employed by the unnamed company in June 2017 to work in a group whose goal it was to develop next-generation battery technologies for stationary energy storage.
Vigilant coworkers caught the 36-year-old Chinese national and US legal permanent resident stealing hundreds of files containing proprietary information specifically related to flow batteries.
After being confronted with the theft, Tan admitted intentionally copying and downloading the research and development materials onto a thumb drive without authorization from his employer.
Realizing the jig was up, Tan turned in the thumb drive along with his resignation in December 2018. But when investigators examined the storage device, they found evidence that five documents that had been stored on it had since been deleted.
The missing files were later located on an external hard drive recovered during a search of Tan's premises. It transpired that Tan had swiped the files and squirreled them away at home, where they could be accessed, and potentially sold, at a later date.
On November 12, 2019, Tan pleaded guilty to theft of a trade secret, unauthorized transmission of a trade secret, and unauthorized possession of a trade secret.
Speaking at the time, Assistant Attorney General for National Security John C. Demers said: “Tan’s guilty plea continues to fill in the picture of China’s theft of American intellectual property.
"The Department launched its China Initiative to battle precisely the type of behavior reflected in today’s plea—illegal behavior that costs Americans their jobs—and we will continue to do so.”
Yesterday, US District Judge Gregory K. Frizzell sentenced Hongjin Tan to 24 months in federal prison and ordered him to pay $150,000 in restitution to his former employer. After completing his two-year prison sentence, Tan will spend a further three years on supervised release.
“The sentencing of Hongjin Tan underscores the FBI’s commitment to protecting our country's industries from adversaries who attempt to steal valuable proprietary information," said Melissa Godbold, special agent in charge of the FBI Oklahoma City Field Office, said.
"American companies invest heavily in advanced research and cutting-edge technology. Trade secret theft is detrimental to our national security and free-market economy. It takes profits away from companies and jobs away from hard working Americans."
The FBI has indicted a man suspected of being responsible for a hack that compromised the accounts of 127 million Ticketfly users.
Moulak O. Ishak allegedly hacked into Ticketfly's systems in 2018. Ticketfly punters who tried to purchase tickets for upcoming live gigs were greeted with a picture of the V for Vendetta character and the message "Ticketfly HacKeD By IsHaKdZ."
At the time of the attack, Ticketfly was owned by Eventbrite, which made the decision to temporarily take the platform offline in the wake of the breach. Eventbrite issued the online message, “Following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly has been the target of a cyber incident.”
Following the attack, Motherboard claimed that hacker IsHaKdZ told them via email that he had warned Ticketfly of a vulnerability that allowed him to take control of all the databases for Ticketfly and its website.
In what sounds a lot like a ransom demand, the hacker is purported to have told Motherboard that he offered to share details of the vulnerabilities with Ticketfly in exchange for 1 bitcoin but never received a reply from the platform's operators.
Following the hack, the personal details of six Ticketfly users were posted to a server as proof that IsHaKdZ's claims of being able to access the databases were real.
According to the indictment issued on February 18, the FBI believes that Ishak, using the pseudonym IsHaKdZ, attempted to extort money from Ticketfly over a five-day period.
Ishak has been indicted on one count of forfeiture and one felony count of extortion in relation to damage to a protected computer.
The alleged cyber-criminal has not been apprehended, though a warrant has been issued for his arrest. If caught and convicted of these charges, Ishak could face a fine of $250,000 and up to three years behind bars.
The indictment reads: "On or about 27 May 2018, and continuing to at least 31 May 2018, in the Northern District of California and elsewhere, the defendant, with intent to extort from Ticketfly money and other things of value, transmitted in interstate and foreign commerce a communication containing a demand and request for money and other things of value in relation to damage to a protected computer, to wit, Ticketfly’s servers, where such damage was caused to facilitate the extortion."
For the 2020 edition, however, many of the attack vectors presented weren't entirely new, as old threats resurfaced. Additionally of note, while the title of the session is about the top five new attacks, researchers outlined more than that at this particular event.
Command and Control (C2) Returns
Ed Skoudis, instructor at the SANS Institute, highlighted what he referred to as the "golden age of c2" as one of his top new threats. C2, which stands for command control, is commonly associated with botnet activity that is controlled from a central command point.
Skoudis identified several ways that organizations can help protect themselves from C2 activity. Among his suggestions is for defenders to vigorously control outbound traffic and look for beacons and log anomalies. He also suggested that security professionals enforce application white-listing to limit what can run within the enterprise.
Living Off the Land
Another trend that Skoudis identified is the concept of living off the land, which refers to attackers' making use of tools that are already present within an organization and then abusing them for malicious gain.
"If you're an attacker, what you could do is you could use the resources of the operating system itself to attack that machine, and to spread to other systems in the environment, so you're living off the land," he said.
The concept of living off the land is not entirely new either, having been reported on at least as far back as 2015.
There are several things that organizations can do to protect against living off the land attacks. One set of resources cited by Skoudis is the LOLBAS project, which provides tools to help identify and limit the risk of attacks.
With the threat of deep persistence, Skoudis warned that malware can now be embedded deep into devices in a way that wasn't happening before. For example, he noted that it is now possible to embed malware in a USB charging cable.
With the charging cable example, even if an organization is able to purge whatever malware gets installed on a given system, with deep persistence, the next time the cable is plugged in, it will reinfect the system all over again.
Skoudis said that it's important for individuals and companies to not just plug anything into their system and to make sure that cables and other peripherals are acquired from trusted sources.
Mobile Device Integrity
Heather Mahalik, senior instructor and director of digital intelligence at SANS Institute highlighted the risk of mobile devices as one of her top threats.
Given that mobile phones have become an essential part of daily life, she noted that if a phone falls into the wrong hands it could be catastrophic. She wasn't just talking about lost or stolen devices, but also about the risk of refurbished devices that have not been properly wiped of the previous owner's data.
She also mentioned the risk of the checkm8 vulnerability in Apple IOS devices, which is a silicon vulnerability that enables the checkra1n jailbreak.
How 2FA Can Hurt You
Two-Factor Authentication (2FA) is a recommended best practice to help improve user security, but it's not a panacea either. Mahalik noted that simply having a code that needs to be typed in for 2FA isn't enough.
She also warned that there are some apps that only require a phone number, which is a risk if a user gives up their phone number and the carrier then reissues that number to a new customer.
"You want a password and 2FA," she said. "If it's just one or the other, it's not a good scenario."
Mahalik suggested that when users get a new phone number they should make sure they go into every application that has 2FA and change to the new number.
Enterprise Perimeter Vulnerabilities
Johannes Ullrich, dean of research at SANS Institute, identified the risk of enterprise perimeter vulnerabilities as one of his top threats.
Over the past year there have been numerous publicly reported issues in widely deployed enterprise firewall and perimeter security devices.
Aside from patching, Ullrich suggests that users never expose an administrative interface on an enterprise perimeter device to the public internet.
The final emerging threats identified by Ullrich are localhost APIs that are embedded in enterprise applications that call out to third-party resources. While the intention for the APIs is to enable functionality such as tech agent support, they also open up enterprises to potential risk.
To help limit the risk, Ullrich suggests that users, where possible, identify what is listening in to ports on a system and monitor how applications call out to external resources.
A data breach that exposed patients' personal health information (PHI) for almost three months went undetected for half a year at a Michigan healthcare group.
Hackers gained access to patient data placed in the safekeeping of Munson Healthcare Group by compromising the email accounts of at least two employees. Patient records were accessed from July 31, 2019, to October 22, 2019, but the breach went undetected until January 16, 2020.
What data was compromised in the prolonged attack varied from patient to patient, but information accessed by the hackers included financial account numbers, driver’s license numbers, dates of birth, and Social Security numbers.
Health information, including insurance details, treatments, and diagnostic data were also exposed by the breach.
Exactly how many patients were affected by the breach has not been revealed by Munson Healthcare, but given the size of the group, the number could potentially be high. From its base in Traverse City, Munson Healthcare operates nine hospitals in 30 counties spread through Northern Michigan.
The group has 7,500 employees and covers an area of 11,177 square miles, which is roughly the size of Vermont and Delaware combined.
“This incident does not affect all patients of Munson Healthcare and not all information was included for all individuals. Munson Healthcare is now notifying affected individuals so that they can take steps to protect their information,” a spokesperson for Munson Healthcare said.
The group went on to say that no evidence had been found to indicate that the information exposed in the breach had been acquired or misused by any third parties who accessed it. Given how long it took the group to detect that the breach had even occurred, this statement may come as cold comfort to Munson patients whose data was accessed by hackers.
"Patient privacy is a top priority and we take this matter very seriously,” said Lucas Otten, Munson Healthcare's director of information security.
“Munson regularly trains and educates all employees on cybersecurity awareness and risks, and we use a 24x7 staffed cybersecurity response team in partnership with other Michigan hospitals to detect and respond to suspicious incidents as they happen."
Delivering a keynote talk at the RSA Conference in San Francisco, Mary T Barra, chairman and CEO of General Motors Company, said “all of you today are the best and strongest line of defense in this on going and even more complex fight.”
Barra had concluded the first part of her keynote talk by saying that “we know this is a marathon with no finish line” and stressed the need for more talent, citing the most recent (ISC)2 Cyber Workforce Survey, which estimated a shortage of four million skilled people by 2022. She said that “without the right people and the right tools” security risks will increase, “and endanger all of us.”
She added that for long term success of every business that exists in a digital ecosystem “we must fill the talent gap, and not just with anyone but with everyone.”
She highlighted the need to recruit more “women and minorities, who are under-represented in the engineering and IT fields” so GM has run outreach programs to schools with a focus on pursuing “rewarding careers” and encouraging students to pursue science, technology, engineering and mathematics (STEM) careers, and “help them see a path for themselves in this space.” Last year this enabled 300,000 students and teachers across the United States, while General Motors has participated in nationwide careers programs and has encouraged its own engineers to do outreach to schools.
“If we want to cultivate young people of the future, we need to invest in theirs,” she said.
Free HTTPS tool Let’s Encrypt yesterday announced it has issued its billionth certificate, in what it claims to be a milestone for user privacy and security.
Backed by the non-profit Internet Security Research Group (ISRG), the initiative has good reason to make such claims, having made what was once a complex and expensive process — registering and managing TLS certificates — free and easy.
In a blog post from executive director, Josh Aas, and VP of comms, Sarah Gran, the two revealed how HTTPS page loads have risen from 58% of the global total in 2017 to 81%, and even higher (91%) in the US.
“When you combine ease of use with incentives, that’s when adoption really takes off. Since 2017 browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS,” they explained.
“When websites put their users at risk by not using HTTPS, major browsers now show stronger warnings. Many sites have responded by deploying HTTPS.”
However, there’s another side to the free encryption message: as well as making it easier for legitimate users to improve security, it has made it simpler for cyber-criminals to hide their activities online.
In 2016, for example, Trend Micro reported that malvertisers were using Let’s Encrypt to hide malicious advertising from network security tools.
A couple of years later, a flaw in Let’s Encrypt’s ACME protocol was found which could have allowed attackers to obtain certificates for domains they did not own.
However, the organization has also been improving its own security and authentication processes. Last week it launched a multi-perspective domain validation system to ensure certificate applicants control the domains they’re hoping to register a cert for.
A US TV star has lost nearly $400,000 in a classic email fraud scam after a fraudster persuaded her bookkeeper to wire funds to a new bank account.
Multi-millionaire Barbara Corcoran describes herself as an “NYC real estate queen” and is one of the investors on popular show Shark Tank. However, on Wednesday, she took to Twitter with the brief message, “Lesson learned: Be careful when you wire money!”
In fact, it was her bookkeeper that had been tricked into wiring the $388,000 funds into an Asian bank, according to reports.
A fraudster reportedly spoofed the email address of Corcoran’s assistant, telling the bookkeeper to wire the funds to a German company called FFH Concept.
It’s unclear whether this was a legitimate supplier or a new organization, but the scammer apparently responded to an initial query for more information with a detailed explanation about the invoice.
That indicates they put in plenty of work ahead of time researching Corcoran’s business.
This modus operandi is similar to the business email compromise (BEC) or CEO fraud scams that netted scammers a staggering $1.8bn last year, accounting for half of all reported cybercrime losses. That’s up from around $1.3bn in 2018, according to the FBI.
Peter Goldstein, CTO and co-founder of Valimail, argued that firms cannot rely on human intuition alone to stop such scams.
“The phishing scam impacting Corcoran’s company clearly debunks the myth that phishing emails are easy to spot. Many companies invest in employee security training to prevent this kind of attack, but as this incident proves, humans are not able to identify malicious emails reliably,” he added.
“Hackers leverage impersonation and heavily researched social engineering tactics to appear as trustworthy senders, and their fraudulent messages are often indistinguishable from legitimate ones.”
Goldstein recommended investing in technologies which validate and authenticate sender identity. It’s reported that the email address used by the hacker was almost identical to that of Corcoran’s assistant but missing a single 'o' — a common tactic to trick recipients.
Facebook has filed a lawsuit in California against a data analytics company it claims has illegally accessed user data.
New Jersey-based OneAnalytics allegedly paid app developers to install a malicious software development kit (SDK) in their apps. This was designed to harvest information including name, gender, email and username of users logging in to the apps with their Facebook credentials, the social network claimed.
“Security researchers first flagged OneAudience’s behavior to us as part of our data abuse bounty program. Facebook, and other affected companies, then took enforcement measures against OneAudience,” wrote the firm’s director of platform enforcement and litigation, Jessica Romera.
“Facebook’s measures included disabling apps, sending the company a cease and desist letter, and requesting their participation in an audit, as required by our policies. OneAudience declined to cooperate.”
The firm is said to have done the same to Twitter and Google users. Twitter claimed in a notice that the issue was down to “a lack of isolation between SDKs within an application.
“Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK,” it explained.
“While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.”
In a statement back in November, OneAudience said that it was shutting down the offending SDK.
“Recently, we were advised that personal information from hundreds of mobile IDs may have been passed to our OneAudience platform. This data was never intended to be collected, never added to our database and never used,” it said.
“We proactively updated our SDK to make sure that this information could not be collected on November 13 2019. We then pushed the new version of the SDK to our developer partners and required that they update to this new version.”
There has been a lot written in recent years about election security and ensuring the integrity of voting systems. While voting machines are important, so too are non-voting election technologies, which was the topic of a session at the RSA Conference in San Francisco.
Aaron Wilson, Senior Director of Election Security at the Center for Internet Security (CIS), explained that non-voting election systems include things that support elections. Those systems include electronic poll books, election night reporting systems, voter registration systems, and electronic ballot delivery.
"There is a lot to that attack surface, but there are not a lot of standards and regulations," Wilson said.
The Center for Internet Security has developed a guide to help secure those non-voting election systems that has 160 best practices to help reduce risk and improve confidence. The overall goal, according to Wilson, isn't necessarily that every election official will do all the steps, but rather they will have a guide that provides questions to ask vendors and IT staff.
There are three key areas that Wilson suggested election officials should look at. The first is dealing with Denial of Service (DoS) risks.
"Denial of Service is concerning because you know exactly when to wage the attack against an election system," he said. "If you can take a service down in a moment of critical need it can have significant impact."
Ransomware is also a risk that election officials need to defend against. Wilson said that both DoS and ransomware attacks are essentially about availability and denying access to assets.
The third key area is something Wilson referred to as unauthorized data modification. That's a critical area for non-voting election system integrity, as an unauthorized change can throw an election into doubt.
Among the key recommendations that Wilson provided to reduce the risk of unauthorized data modification are the following:
- Deployment of automated software patch management tools
- Using best practices for securely handling input and output
- Verifying data on backup media
- Deployment of application layer filtering
- Enforcement of access controls to data
Verifying Election Technology
Going a step beyond best practices, there is also an ongoing need to verify that systems are in fact operating as intended on a continuous basis. That's where the RABET-V: Rapid Architecture-Based Election Technology Verification framework comes into play.
"RABET-V is an election technology verification process that supports rapid product changes by design," Wilson said.
The RABET-V effort was launched in February 2020 as a pilot program and is available as an open source effort on github.
"It provides a consistent basis from which approval authorities can draw information, resulting in quicker decisions and reduced, amortized overall cost," Wilson concluded.
The method, procedures, and practices used by cybersecurity professionals have relevance beyond just the technology sphere; they can also be used to hack society.
"This is the big idea: we here in our community have developed some very effective techniques to deal with code and technology," Schneier said. "Can our expertise in IT security transfer to broader social systems like the tax code, or the systems we use to choose our elected officials or the market economy?"
Schneier argued that the hacker mindset, that is, an approach to thinking about how things fail and how to make things fail, has broader implications than just computer security. He suggested that the cybersecurity procedural mindset is valuable in a broader context and can be used to help secure the systems that make up society.
"As the world looks more like a computer, our security skills become more applicable," he said.
That said, Schneier noted that he didn't want to imply that technology can fix everything, but rather there is perhaps a way to blend technology and policy in a new way that can improve human communities.
The Hacking Mindset
Using a hacking mindset to impact society isn't an entirely new idea. Schneier remarked that NSA whistleblower Edward Snowden wrote in his memoir that the US intelligence community hacked the Constitution in order to justify mass surveillance.
"We can argue whether that's true or not, but everyone here intuitively knows what he means by that," Schneier said.
Another example of how the hacking mindset is already in use is within the advertising industry. Schneier argued that advertising is a hack of humans' cognitive systems to help influence choices.
Political forces are already using hacking type technique for propaganda as well.
"Authoritarian regimes are vulnerable to information attacks that challenge their monopoly on common political knowledge, and that is why an open internet is so dangerous to an autocracy," Schneier said. "Democracies are vulnerable to information attacks that turned common political knowledge into contested political knowledge."
Schneier suggested that there are several ways modern cybersecurity practices can be used to hack society for good purposes.
In cybersecurity, having transparency and visibility is a foundational idea that is a useful concept for society in general.
"We have other solutions in our tech tool kit like defense in-depth, compartmentalization, isolation, sandboxing, audit, incident response, and patching," he said. "We never actually solve a security problem, we iterate, so is there some way to iterate law to have extensible law, where we implement some rapid feedback in our laws and regulations."
A key challenge that Schneier sees today is that we don't have policy institutions with footprints to match the technology that society uses. For example, he noted that Facebook is global, yet it's only regulated nationally by specific governments.
"Our problems tend to be social problems masquerading as tech problems and tech solutions masquerading the social solutions," Schneier said. "We need to better integrate tech and policy."
Speaking in a keynote talk at the RSA Conference in San Francisco, Mary T. Barra, chairman and CEO of General Motors Company, said that she acknowledged that “no one in this room needs convincing that there are virtually no industries today that are not vulnerable to cyber-attacks.”
She said that the auto industry is no exception, as it is bringing technologies and features to market, while users expect seamless integration with their devices, “and it is always our intention that customers and their data are always safe, secure, and private.”
GM built a “proactive cybersecurity organization” with hands-on engagement from the board, as it views cybersecurity “not just as a competitive advantage, but as a systemic concern for our industry.”
Barra said that the automotive industry remains competitive, but is an area “where we must, and rarely do, collaborate and share best practices,” and it works with the Auto-ISAC for information sharing, while it is focused on securing the automobile process at every stage.
Referring to the Cruise autonomous vehicle arm of GM, she said that human error is responsible for 9 out of 10 crashes, and GM was keen to provide “the safest products and strongest cybersecurity and giving them greater convenience, better accessibility, at an affordable cost.”
Barra said that around $100m is spent per year on cybersecurity, and the risk is looked at end-to-end with “no shortcuts” taken by the nearly 500 practitioners “developing in-depth defense, monitoring incident response capabilities that we continually test, rework, and refine.”
One partner GM has worked with is HackerOne “to engage more closely with the research community and identify vulnerabilities before they become an issue.” She said that this commitment showed its determination to maintain best practices in cybersecurity, and had re-engineered its development program to create the Vehicle Intelligent Program (VIP) to support safety systems, 5G networks, and over-the-air updates “and enhanced cybersecurity protections.”
She concluded by saying that “we know this is a marathon with no finish line” and stressed the need for more talent.
Criminals are using a combination of server exploitation, email, and voice calls to execute voice phishing attacks, often referred to as vishing.
In a session at the RSA Conference in San Francisco, John LaCour, founder and CTO at PhishLabs, and Davey Ware, Special Agent at the FBI, detailed the mechanics of how vishing attacks work to defraud victims of money, as well as how one group of criminals was found.
"Vishing attacks are phishing attacks that use the telephone network," LaCour said.
He explained that in vishing attacks the lure is delivered in one of several ways, including an email message with a call-back number, SMS via a telephone provider, and robocalls from an interactive voice response system (IVR). According to data cited by LaCour, over a one-year period more than 50% of vishing attacks targeted small banks and credit unions.
Vishing attacks occur in stages involving compromising a Windows server with some form of Remote Desktop Protocol (RDP) backdoor to gain access. Attackers also compromise IVR systems and then create fake email accounts as well.
The FBI Investigation
The FBI is aware of vishing attacks and has been actively involved in tracking down criminals. Ware detailed one such investigation involving three vishing hackers from Romania who had exploited a small bank in South Carolina.
By going through the logs of the impacted bank the FBI identified a number of clues, including IP addresses from RDP sessions. With some basic internet searching, Ware said, the FBI was able to make a link to a Facebook account and then via legal processes was able to get additional information on the criminals.
The FBI then found further evidence in Facebook chats that tied three Romanian individuals to the vishing attack. Over a two-year period, Ware said, the FBI collected enough evidence that they felt they could go to the next step, connecting with law enforcement in Romania.
Arresting the Vishers
Romanian law enforcement, working with the FBI, raided the homes of all three suspects at the same time in 2014. Ware noted that one of the criminals threw his laptop and power cord out the window as soon as police showed up. Luckily, the laptop landed in the snow and the data were still all on the laptop.
At the time of the raid, Ware noted, there was an active RDP session open on the laptop, with a text file including credit card numbers.
"They were literally doing the scheme when the search warrant was served," he said.
While the raid were conducted in 2014, the legal process takes time. All three of the suspects were indicted in 2017, extradited to the US in 2018, and, after pleading guilty, sentenced in 2019 to jail terms of approximately 8 years.
"Why we're talking about this case now is because it has been fully adjudicated, so we can talk about it," Ware said. "We want to present this because attackers are still using the same tactics now."
In a talk at the RSA Conference in San Francisco, Lexis Nexis Risk Solutions director of product management Daniel Ayoub and VP of product management Dean Weinert talked about the reality of which metrics and identifiers browsers release on users.
In a talk titled “Creepy Leaky Browsers,” Ayoub said that the classic cartoon “on the internet no one knows you’re a dog” was becoming less apparent, as there is so much more info available via a browser. The concept of a browser fingerprint involves a combination of persistent and non-persistent identifiers gathered passively through application programming interfaces (APIs) built into modern web browsers.
Ayoub said these browser fingerprints are typically used for:
- Digital marketing
- Improving the user experience
- Return device recognition
- Fraud prevention
Weinert said that this all “began with cookies” but browsers went steps forward when cookie use was limited, so identifiers could be determined on a user’s network information, external IP address, screen resolution, and the type of GRU. Ayoub said that many introductions were made in the late 2000s before concerns were raised regarding browser privacy in 2010 by the EFF.
“As time moved on, we saw more APIs added to browsers, and they offered details on what hardware was added, how much RAM was used, and which CPUs were now baked into the browser,” he said. This allows someone to know how a user interacts with a device, and “the key point is that real work apps that benefit consumers take into account fingerprinting, and these are used every day in the background, and most people are unaware of it.”
Their research into different browsers showed that there were different details revealed; for example, Firefox doesn’t reveal the device memory, while Google Chrome OSX does, and some browsers support Bluetooth adapters, while some do not.
To better protect yourself while using the internet, Ayoub and Weinert recommended trying to “blend in” rather than stand out, “as more people don’t try to hide, and the best strategy is to use common operating systems and browsers.”
However, this causes an issue when trying to spot cyber-criminals, as Weinert said that the “bad guys look like regular users,” and as more browsers obfuscate, “if everything is vanilla it is harder to find the wolf among the sheep.”
Weinert said that browser vendors realized that they had to put privacy first, and he urged vendors to collaborate better to a degree where standards can be determined. “Also do the right thing” when device profiles are offered in bulk resale.
For users, Ayoub recommended using current and latest versions of browsers, going to fingerprinting sites to see what they are comfortable with, and considering using browser tools that are designed for privacy.
“Also opt-out where appropriate,” he said, and recommended finding your Advertiser ID on your device and switching it off or resetting it.
Last year's data breach at the Desjardins Group will cost the co-operative far more than initially anticipated.
Original estimates by the Quebec-based financial institution set the cost of recovering from the breach at $70m. The co-operative has now said that the final breach bill is likely to be $108m.
The data breach was intentionally carried out by a malicious employee who had access to banking details such as loans and savings. As a result of their actions, the data of 4.2 million customers who bank with Desjardins in Quebec and Ontario was exposed.
Six months after the breach was announced, the incident was found to have also affected 1.8 million credit card holders who were not Desjardins members. The employee at the center of the breach has since been fired.
News of the breach came to light in June last year. From July onward, Desjardins introduced identity protection for all members who bank with the co-operative in Quebec and Ontario, free of charge.
In November, Desjardins issued an online statement that implied that data exposed in the breach had not been misused.
The statement said: "Desjardins would like to remind its members that there was no spike in fraud cases, either before or after the privacy breach was announced on June 20."
While the repair bill does not make suitable reading material for the faint-hearted, Desjardins president and chief executive officer Guy Cormier said that the financial impact of the breach represents less than 1% of the $18bn in revenue the institution earned in 2019.
According to Cormier, Desjardins has "ample capacity" to absorb the cost of the breach into its everyday operations.
Driving up the cost of recovery is the package of compensation measures Desjardins offered its members in the wake of the breach. Included in the package was five years of free credit monitoring from Equifax, which suffered its own catastrophic data breach in 2017 in which personal data of almost half the population of the United States of America was exposed.
Cormier said that no further increase in costs related to the data breach is expected.
Researchers at the University of Texas have found a way to bamboozle malicious hackers into giving away their secrets.
The DEEP-Dig (DEcEPtion DIGging) method tricks hackers onto a decoy site set up to record whatever sneaky tactics are thrown at it. This information is then fed into a computer, where it is analyzed to produce clues on how to identify and fend off future hacking attacks.
University of Texas at Dallas computer scientists presented papers on their wily new work at the annual Computer Security Applications Conference in December in Puerto Rico and at the Hawaii International Conference of System Sciences.
Furtively obtaining information from hackers that can later be used against them is a rapidly growing cybersecurity field known as deception technology. This cunning approach encourages those working in cybersecurity to view cyber-attacks in a whole new light.
“There are criminals trying to attack our networks all the time, and normally we view that as a negative thing,” said Dr Kevin Hamlen, Eugene McDermott Professor of Computer Science.
“Instead of blocking them, maybe what we could be doing is viewing these attackers as a source of free labor. They’re providing us data about what malicious attacks look like. It’s a free source of highly prized data.”
Privacy restrictions can make it difficult for researchers to obtain sufficient data on attackers' tactics to create effective defense strategies. DEEP-Dig functions like a spy in the attacking camp, gathering up valuable real-time information on how hackers strike.
Dr. Gbadebo Ayoade, who presented the scientists' findings in Puerto Rico and Hawaii, said that having more data will make it easier to detect when an attack is under way.
“We’re using the data from hackers to train the machine to identify an attack,” said Ayoade. “We’re using deception to get better data.”
Dr Latifur Khan, professor of computer science at UT Dallas, said "attackers will feel they're successful" when they encounter the decoy site stocked with disinformation.
Mirroring the cyber-criminal’s domain-spoofing technique and using it against them to gain a window into their activity might appear like poetic justice; to Khan, it's simply another roll of the dice.
Describing the ongoing online battle between the lawless and the law-abiding, Khan said: "It's an endless game."