Feed aggregator

#BHUSA: The Serious Disinformation Threat Posed by GPT-3

Info Security - Thu, 08/05/2021 - 15:24
#BHUSA: The Serious Disinformation Threat Posed by GPT-3

The development of generative Pre-trained Transformer 3 (GPT-3) offers worrying opportunities for bad actors to launch mis and disinformation campaigns online, according to research conducted on the AI technology by the Center for Security and Emerging Technology (CSET).

Presenting the findings during a session at the Black Hat US 2021 hybrid event this week, Andrew Lohn, senior research fellow at CSET, outlined concerns that GPT-3 can “generate text that’s basically indistinguishable from what humans write.” He added that it is concerning “what this language model could do in the wrong hands.”

Lohn began by delving into the background of the newest iteration of OpenAI’s unsupervised open language model, released in 2020, explaining that it is significantly more advanced than GPT-2, which itself can generate text that is “almost convincing.”

He noted that GPT-3 required vast quantities of data to train it – this consists of three billion tokens from Wikipedia and 410 billion tokens from Common Crawl open data repository.

Micha Musser, research analyst at CSET, then provided an overview of the research the team has undertaken into the technology to understand the extent to which it can be used for nefarious purposes.

For their experiments, the researchers used a demo tool called ‘Twodder,’ “which is in effect a GPT-3 only social media site that we have built.” To start with, the team pre-loaded the tool with five US Presidential election conspiracy tweets revolving around the QANON movement in the US. It was also given the names of a few states heavily associated with election fraud claims and a few hashtags linked to QANON – so not a vast amount of information.

Musser then demonstrated the speed by which GPT-3 was able to render tweets, whose profiles used faces taken from the website thispersondoesnotexist.com.

This showed that even short and vague statements could be taken by GPT-3 to generate highly realistic QANON-style posts. For example, in its output, it mentioned Huma Abedin, who was one of Hillary Clinton’s main aids, despite his name “not being mentioned in any of the inputs we gave it.”

“It’s doing a very good job of basically mimicking this style – it’s picking up on right villains, the right stylistic cues. All of this is very advanced,” said Musser. He added: “This suggests that someone with a tool like GPT-3 could generate a massive amount of stylistically conspiratorial type writing and seed the different parts of the internet with that to try to determine which messages resonate and build from there.”

“It’s doing a very good job of basically mimicking this style – it’s picking up on right villains, the right stylistic cues"

In another experiment, CSET wanted to see whether GPT-3 was capable of analyzing a breaking news story from a mainstream publication and “rewrite it in a way that privileges a pre-chosen narrative.” The researchers collected five articles on different events written by the Associated Press in 2020, and GPT-3 had no prior knowledge. It was instructed to rewrite these stories in either a strongly pro or anti way.

The findings were quite alarming, with GPT-3 able to write very biased articles in a highly authentic way. Musser gave an extract of an article written by the Associated Press and then GPT-3 amid the Capitol Hill riots in the US at the start of the year. The Associated Press article extract reads as follows:

Trump doesn’t ask backers to disperse after storming capitol

The seat of democracy descended into chaos when protestors overwhelmed police and bullied their way into the Capitol, forcing a delay in the joint session of Congress where lawmakers were counting electoral votes that will affirm Democrat Joe Biden’s White House victory two weeks before Inauguration Day…”

GPT-3 produced the following rewrite:

President Trump is Rightfully Disappointed

“When President trump watched the events unfold in the Capitol Building, he was saddened and disappointed to see democracy descend into chaos. He wants his supports to be peaceful and respectful when protesting, but he understands that passions run deep and people can get carried away…”

While overall, GPT-3-generated articles scored lower for authenticity compared to the real ones, if set up correctly, “this tool could be used on social media or to seed fake news stories.”

The final experiment conducted by the team assessed how effective GPT-3 is at persuading people to change their stance on particular issues. For this, they programmed GPT-3 to generate a series of statements arguing for and against the following topics: whether or not the US should remove its remaining troops from Afghanistan and should the US impose sanctions against China.

The team conducted a survey involving around 1700 participants to see how these GPT-3-generated arguments influenced people’s views. The results demonstrated very clearly that “these statements actually impacted respondents’ beliefs.”

Musser said this was concerning as “GPT-3 might not need to be particularly good if threat actors can use it to create a mass of arguments in favor of a position they want to advance, even if those arguments aren’t particularly good, they might be able to get something like this effect.”

In the final part of the session, Lohn outlined the practical difficulties of using GPT-3 to spread disinformation at scale. As it stands, no GPU is big enough to handle GPT-3, and it has to be split up to run over many GPUs. However, there are likely to be solutions in place for this problem in the near future; for example, telco provider Huawei has stated that they will open-source the model-splitting tools.

Lohn added that the financial costs of running widespread misinformation campaigns via GPT-3 are currently prohibitive to individual hackers, although it “is not a big deal for powerful nation-states.”

Another problem for malicious actors is the sheer number of social media accounts they need to create to distribute messages on a wide enough scale to cut through. Lohn believes it is this infrastructure issue that should be focused on to identify GPT-3-generated social media posts, as “there is very little hope of detecting those messages based on the text itself, they’re pretty well indistinguishable from people.”

Categories: Cyber Risk News

Cybercrime Ransomware 'Ban' is No Match for Threat Actors

Info Security - Thu, 08/05/2021 - 09:34
Cybercrime Ransomware 'Ban' is No Match for Threat Actors

A self-imposed ransomware ‘ban’ instituted by several cybercrime sites is not stopping the threat actors that use these forums, according to Digital Shadows.

The threat intelligence vendor wanted to see whether the new rules put in place by popular Russian-language platforms XSS and Exploit were having any impact. The sites’ administrators banned users back in mid-May from advertising ransomware and affiliate partnerships after several high-profile attacks in the US.

Perhaps unsurprisingly, users of the sites have found ways to bend the rules, such as speaking euphemistically about the services they’re looking for.

“Ransomware-linked threat actors are most likely continuing to operate on the forums under different aliases, using coded language and avoiding direct references to ransomware. We’ve noticed many threads in which users advertise ‘pentesting’ vacancies in their’ team.’ Others write that they are looking to purchase ‘access’ to corporate networks for high prices,” Digital Shadows explained.

“In one particularly blatant example, a user advertised for ‘individuals and groups for our partners program [sic],’ including ‘Pentesters with experience in Active Directory networks’ and ‘Access brokers’.”

The vendor also claimed to have seen no decrease in the number of listings for “access” services, which are an increasingly popular way for ransomware groups to launch attacks.

“Some initial access brokers, perhaps aware that they can’t market their wares openly to ransomware groups, are instead offering to provide a regular supply of ‘exotic’ and ‘valuable’ corporate accesses to ‘serious’ buyers,” it explained.

Plenty of other forums plying their trade haven’t put ransomware ‘bans’ in place. Digital Shadows pointed to the success of RAMP, a relative newcomer which appeared in July and amassed a large following before closing registrations as a protective measure.

The bottom line appears to be that ransomware continues to thrive. Without any progress on the geopolitical front, organizations must focus their efforts on best practice cyber-hygiene and rapid detection and response.

According to new Accenture research, ransomware accounted for 38% of intrusions in H1 2021, more than any other threat type.

Categories: Cyber Risk News

Decade-Old Router Bug Could Affect Millions of Devices

Info Security - Thu, 08/05/2021 - 09:06
Decade-Old Router Bug Could Affect Millions of Devices

Security researchers have discovered a 12-year-old router vulnerability that they've warned may affect millions of devices globally.

Tenable research engineer, Evan Grant, explained in a blog post that he originally found the authentication bypass vulnerability in devices from manufacturer Buffalo.

However, during the disclosure process, he found that the bug actually existed in the underlying firmware from Taiwanese firm Arcadyan.

“All of the devices we were able to test or have tested via third-parties shared at least one vulnerability: the path traversal which allows an attacker to bypass authentication, now assigned as CVE-2021–20090,” he explained.

“This appears to be shared by almost every Arcadyan-manufactured router/modem we could find, including devices which were originally sold as far back as 2008.”

Tenable has claimed that the issue may affect millions of devices manufactured by 17 different vendors, used in at least 11 countries — including Australia, Germany, Japan, Mexico, New Zealand, the US.

The vulnerability in question has a CVSS score of 8.1, making it high severity. If exploited, it could allow an unauthenticated remote attacker to bypass authentication. However, Grant also found two further bugs present in Buffalo routers: improper access control flaw CVE-2021-20092 and configuration file injection vulnerability CVE-2001-20091.

As Grant discovered the potential scale of the issue, he reported it to the CERT Coordination Center to help with the process of notifying all affected vendors.

The case highlights the inherent risks in code supply chains and vulnerable software libraries.

“There is a much larger conversation to be had about how this vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors,” Grant concluded.

“I’d also like to encourage security researchers who are able to get their hands on one of the 20+ affected devices to take a look for (and report) any post-authentication vulnerabilities like the configuration injection found in the Buffalo routers. I suspect there are a lot more issues to be found in this set of devices.”

Categories: Cyber Risk News

Web Shells and Digital Extortion Drive Triple-Digit Growth in Cyber-Intrusions

Info Security - Thu, 08/05/2021 - 08:37
Web Shells and Digital Extortion Drive Triple-Digit Growth in Cyber-Intrusions

The first half of 2021 saw no slowdown in malicious online activity as Accenture detected a 125% increase in cyber-intrusion incident volume versus the same period last year.

The global consultancy’s mid-year security update blamed the uptick on increased web shell activity, digital extortion including ransomware, and supply chain intrusions.

Consumer goods & services (21%), industrial (16%), banking (10%), travel & hospitality (9%) and insurance (8%) sectors accounted for the majority of malicious activity, although insurance was most heavily targeted by ransomware attacks — accounting for nearly a quarter (23%) over the period.

Accenture claimed that travel & hospitality and retail will come under increasing scrutiny from threat actors going forward as these industries begin to recover post-pandemic.

Unsurprisingly, the US was the most targeted country, accounting for 36% of incident volume, followed by the UK (24%) and Australia (11%).

Mark Raeburn, cyber defense lead for Accenture in the UK & Ireland, argued that cyber-threats threaten to derail organizations at a crucial moment, as economies begin to reopen.

“We’ve found that consumer goods companies in particular are experiencing higher levels of cyber-attacks compared to this time last year as increasing consumer activity creates more opportunities for cyber-criminals,” he added.

“After a challenging year, these organizations cannot afford to have a cyber-attack take them back offline again. Every organization must now prioritize re-evaluating their cybersecurity strategy, ensuring they not only secure their own systems but also fully protect their supply chains and partners.”

Ransomware remained the most prolific threat in the first half of 2021, accounting for 38% of attacks, followed by backdoors (33%). REvil/Sodinokibi was the most common variant (25%), followed by Hades (18%) and DoppelPaymer (16%).

The majority (54%) of organizations hit by ransomware in the first six months of 2021 had annual revenues of $1-9.9 billion, followed by those posting over $10 billion in revenue (20%). However, this could be more reflective of the Accenture customer base than reality.

It’s been claimed elsewhere that most attacks hit companies with under 1000 employees.

Categories: Cyber Risk News

#BHUSA: The 9 Lives of the Charming Kitten Nation-State Attacker

Info Security - Wed, 08/04/2021 - 22:54
#BHUSA: The 9 Lives of the Charming Kitten Nation-State Attacker

Not all nation-state attacker groups use innovative techniques to be successful; some will just use the same tried and true techniques again and again.

In a session at Black Hat US 2021, a pair of researchers from IBM X-Force outlined how a nation-state group that it refers to as ITG18 continues to use the same techniques to attack victims. ITG18, which is alleged to be backed by Iran, is also known by other names that it has been given by other research groups, including Charming Kitten, Phosphorous, and APT35.

Richard Emerson, senior threat hunt analyst at IBM X-Force, explained that his team was able to find an open file directory used by Charming Kitten and found a treasure trove of information about the group and how it operates. The directory included hours of training videos, detailing how members of the adversary group could infect and exfiltrate data from victims.

A hallmark of Charming Kitten's operations, according to Emerson, was the group's phishing attacks against personal, social media, and webmail accounts to support their espionage and surveillance objectives. Even after their efforts were discovered, Charming Kitten has continued to pounce on new victims.

In March 2019, Microsoft claimed that it significantly disrupted Charming Kitten, taking over 99 domains associated with the group. Emerson noted that in the months and years since, Charming Kitten has just registered new domains and has continued with the same basic tactics.

"This group does not seem to particularly care about public disclosure of their activities like other groups do, possibly because they continue to enjoy success with their tactics," Emerson said.

Among the tools used by Charming Kitten is one that the IBM researchers have named LittleLooter. Emerson explained that LIttleLooter is a functionally rich backdoor that is capable of recording video and sound phone calls, gathering information on call history and SMS messages, as well as gathering location data and browser history.

"With all this personal information taken from targets of interest, we can only guess at how it's been used by the Iranian government to further their objectives," Emerson said.

Charming Kitten is a Large Operation

Allison Wikoff, senior strategic cyber-threat analyst at IBM X-Force, noted that she is confident that Charming Kitten is a very large operation, in terms of the number of people involved.

For example, she noted that IBM has collected over 2,000 unique indicators associated with the group's activities and over 2 terabytes of data stolen from victims. The fact that the group has training videos also implies they are recruiting new members and have some turnover in their operations.

"They have consistently targeted Iranian journalists and researchers in country and abroad, but they've also gone after foreign targets like COVID researchers, nuclear regulators, US politicians and financial regulators, all depending on what's happening," Wikoff said.

How to Defend Against Charming Kitten

There are a number of different things organizations can do to help limit the risk from Charming Kitten. Wikoff emphasized that a key foundational step is to have multi-factor authentication on everything.

Additionally, Wikoff said that it's important for organizations to think about how to train employees to notice and report threats. In the case of Charming Kitten, as well as with other threat actors, she noted that personal resources are targeted, and as such the personal computing habits of employees can impact the organizational security of a company.

"We've seen they have the ability to mass collect information, not just off personal webmail accounts but also off of cell phones," Wikoff said. "They have hardly changed their tactics in the last four years and yet they continue to expand their targets and operations."

Categories: Cyber Risk News

#BHUSA: What is the Future of Security Advisories?

Info Security - Wed, 08/04/2021 - 22:43
#BHUSA: What is the Future of Security Advisories?

Organizations of all sizes are bombarded with a seemingly endless stream of security advisories on a daily basis. The challenge for many is figuring out whether a given advisory actually impacts their organization.

At the Black Hat US 2021 event, Allan Friedman, director of cybersecurity initiatives at NTIA, US Department of Commerce, and Thomas Schmidt, ICS and advisory expert, Federal Office for Information Security (BSI) in Germany, outlined an emerging approach to help solve the challenge of being overwhelmed by security advisories.

"How do we communicate that a device or piece of software is not actually exploitable?" Friedman asked. "The answer is a new idea called the Vulnerability Exploitability eXchange, or VEX."

The VEX concept actually builds on several other key ideas, including having an automated machine-readable format for security advisories. VEX will identify whether a particular version of software is impacted by an advisory and what action needs to be taken. Friedman emphasized that he wants VEX to be what he referred to as a “negative” security advisory. Whereas a normal security advisory conveys what products are impacted, the goal of VEX is to communicate what is not affected.

Automation is the Key to VEX

A real challenge with security advisories today is that there is a lot of manual effort required by organizations to assemble, analyze and understand them.

Schmidt noted that what's needed to make security advisories effective is automation. That's where an effort known as the Common Security Advisory Framework (CSAF) comes into play. CSAF is an open standards approach to providing security advisories that are in a machine-readable format.

With CSAF, humans in an organization no longer need to parse though security advisories with various formats to try to figure out what's important to them. Schmidt emphasized that CSAF can reduce the workload for overburdened IT staff.

"We don't have to search this boring stuff for advisories; we see only the relevant advisories, as it is machine readable," Schmidt said. "You don't have to worry about corporate design stuff, so it's scalable across vendors, and you can do your risk assessment based on your own environment."

Friedman noted that VEX, in turn, is a profile in CSAF. As part of a CSAF deployment, organizations should also have some form of asset management in place, where they know what software and devices are running. In the ideal scenario, an automated CSAF advisory can be ingested by an organization that can then automatically map that to their own assets and, with VEX, know immediately that they are, or are not, at risk.

"We can provide real value for our users, not just in which vulnerabilities they should pay attention to, but which ones they shouldn't," Friedman said.

One particular industry that can potentially really benefit from VEX is healthcare. Friedman noted that patching and security updates impose real costs as organizations often need to take things offline that they may not want to do on a live network. For example, without knowing for sure if a given device is vulnerable, a hospital might have to figure out a way to care for a patient while they take a critical device offline to update it.

"The more efficient and automated we can make updates, it's going to bring real benefits not just for security, but for human health and safety," Friedman said.

Categories: Cyber Risk News

#BHUSA: Researchers Criticize Apple Bug Bounty Program

Info Security - Wed, 08/04/2021 - 21:35
#BHUSA: Researchers Criticize Apple Bug Bounty Program

According to a pair of researchers at the Black Hat US 2021 event, there is no shortage of ways to bypass privacy mechanisms in Apple’s macOS operating system. While Apple does have a bug bounty program to reward researchers for disclosing flaws, the time it takes to fix issues is a real concern.

Wojciech Reguła, senior IT security specialist at SecuRing, explained that at the core of macOS is the Transparency, Consent and Control (TCC) system. Regula said that macOS users are familiar with the privacy tab in TCC, which grants permissions to applications to operate. Alongside Csaba Fitzl, content developer at Offensive Security, Regula enumerated a list of over 20 different ways that TCC can potentially be abused or bypassed to leak private information.

One of the ways that TCC can be bypassed is via application plug-ins, which is what CVE-2020-27937 does, which is a vulnerability disclosed by Regula and patched in macOS 11.0.1. With that vulnerability, the application plug-in abuses the authorizations from the macOS directory utility to get unauthorized access.

Process injection is another way TCC can be bypassed, which is something that CVE-2020-10006 enables, which was also patched in macOS 11.0.1. More recently, Apple patched CVE-2021-30751 in macOS 11.4, which is a TCC bypass in the Notes application that is part of the operating system.

In particular, Regula noted that third-party apps are quite useful for enabling TCC bypasses through process injection. In his view, all apps built with the Electron JavaScript framework are vulnerable by default in current versions of macOS. The Firefox web browser is also vulnerable to a TCC process injection attack on macOS.

Another way that TCC can be bypassed is via application behavior. For example, Fitzl noted that some applications move files when they execute an operation, and that movement might enable access to private files. That type of bypass can lead to information leaks, according to Fitzl. In the last two years, Fitzl and Regula have reported no less than five different vulnerabilities in TCC that can lead to info leaks.

Why Apple’s Security Bounty Needs to Improve

The two researchers noted they have submitted all the vulnerabilities they find via the Apple Security Bounty (ASB) program, which rewards researchers for responsibly disclosing issues.

Fitzl noted that ASB has a category for privacy bypasses, which can range from $25,000 for small leaks, up to $100,000 USD for major bypasses. While the payouts can be substantial, Fitzl argued that the bug fixes can be really slow. Additionally, he complained that there is a lack of transparency from Apple about when, or even if, a reported issue will be fixed. In fact, Fitzl noted that in at least one case it took two years for a submitted issue to be patched by Apple. Fitzl also complained that there can sometimes be a very delayed response to an initial report, with one case taking seven months to get a response.

"There are a lot of things that Apple should improve," Regula said. "For example, I would like to see a transparent way to see the current state of bug reports, if they are fixed or there are plans to fix, because we have heard about a lot of silent fixes."

Categories: Cyber Risk News

#BHUSA: Hacking a Capsule Hotel to Silence a Noisy Neighbor

Info Security - Wed, 08/04/2021 - 19:48
#BHUSA: Hacking a Capsule Hotel to Silence a Noisy Neighbor

Security researcher Kya Supa was staying at a capsule hotel in Japan while on vacation and had a noisy neighbor.

Every day at around 2 a.m., the neighbor would be on the phone making a loud call. Supa politely asked the neighbor to not be so loud, but the neighbor didn't listen. What happened next was the subject of Supa's session at the Black Hat US 2021 hybrid event, where he detailed how he was able to hack the hotel's system to get back at his noisy neighbor, whom he referred to as Bob.

"Some people just don't take anything seriously," Supa said about Bob. "So I thought it would be nice if I could take control of his room and make him have a lovely night."

How the Capsule Hotel Was Hacked

The capsule hotel that Supa was staying at was highly automated. Each room had an iPad that enabled control of the small room's amenities, including lights, fan and an adjustable bed that could be converted into a sofa.

After inspecting the room, Supa also discovered that each room had a pair of Internet of Things (IoT) gateway control devices from Japanese vendor Nasnos, which controlled the room's operations. The iPad that connected to the Nasnos devices was locked down in what Apple refers to as Guided Access, which restricts access to only one application.

While Guided Access initially would not allow Supa to access other features on the iPad, he figured out an easy way to get around that. Simply by letting the iPad run out of power and then rebooting, he was able to bypass Guided Access and get full control of the device.

Using scanning tools, Supa was able to discover the Nasnos access point and realized that it was secured with the insecure WEP protocol. Adding further insult to injury, Supa discovered that the gateway devices that were controlling the IoT devices in each capsule room were using a default password of—1,2,3,4,5.

By observing the data traffic in his own room as he turned the lights on and off and adjusted his bed, Supa was able to figure out how to control everything using his own laptop. After some additional investigation, Supa was also able to figure out how to gain access to specific routers in specific rooms. With that knowledge, he could control the functions of another guest's room—like his noisy neighbor, Bob.

Simply turning the lights on and off in Bob's room wasn't enough for Supa though; he wanted to do something more disrupting. What Supa ended up doing was writing a script that ran every two hours that would turn the lights on and off, while collapsing the bed into a sofa.

"I'm sure he had a wonderful night," Supa said about Bob. "I hope he'll be more respectful of his neighbors in the future."

Supa noted that he disclosed all the security issues he found to the hotel, after he had messed with Bob, and that the issues have since been remediated by the hotel.

Categories: Cyber Risk News

Son Charged in Murder of Cybersecurity ‘Genius’

Info Security - Wed, 08/04/2021 - 18:56
Son Charged in Murder of Cybersecurity ‘Genius’

Maryland police have arrested the son of a successful cybersecurity executive on suspicion of her murder.

Juanita Naomi Koilpillai was killed at her home in Tracy's Landing on July 25. The cybersecurity expert, who co-founded the advanced automated attack warning system CyberWolf and went on to found Waverley Labs, was 58 years old at the time of her death.

The alarm was raised after blood was discovered in Koilpillai's waterfront residence by her boyfriend. When he was unable to locate his partner, he called 911 and reported her as missing.

Soon after this report was made, Koilpillai's body was discovered outside her home. An investigation by a medical examiner determined that the computer expert, described as "a certifiable genius" by her friend Dr. Ron Martin, had died as a result of sharp force injuries.

Koilpillai's car, which was missing from her driveway when her body was discovered, was later found in Leesburg, Virginia.  

search of the car by the Anne Arundel County Police Department revealed a knife, believed to be the murder weapon. Forensic testing of the knife uncovered the presence of DNA belonging to the victim's 23-year-old son, Andrew Weylin Beavers. 

Beavers was arrested in Virginia on Saturday and charged with first- and second-degree murder. He was later extradited to Maryland. 

Koilpillai, who grew up in India and Sri Lanka, earned a master's in computer science and mathematics at the University of Kansas, then spent three decades working in network management and computer security. 

"To grow a startup into a great company and then sell it to a bigger technology company was an incredible accomplishment," said Koilpillai's friend, Connie Moore.

"But to do it as a woman, to do it as a person of color, just speaks volumes about her tenacity, about her brilliance, about her business acumen, about her technology expertise, it was extraordinary. And then she did it again." 

The CyberWolf system, which is used by the US government, was acquired by cybersecurity company Symantec in 2002 with the purchase of software vendor Mountain Wave. 

Shortly before she was killed, Waverley Labs CEO Koilpillai helped to launch information security offering Resiliant.

Categories: Cyber Risk News

#BHUSA: How Supply-Chain Attacks Change the Economics of Mass Exploitation

Info Security - Wed, 08/04/2021 - 18:39
#BHUSA: How Supply-Chain Attacks Change the Economics of Mass Exploitation

Supply-chain security is one of the most impactful topics today, and it was the subject of the opening keynote at the Black Hat US 2021 hybrid event, held both online and in-person in Las Vegas.

Jeff Moss, the founder of the Black Hat conference, opened the event with a brief conversation on what’s needed to help immunize the global IT community from attacks. When it comes to supply-chain security, he had a very somber observation.

"We all depend on the supply chain’s being fully immunized, and it's not there," Moss said.

Some ideas on how to address the challenge of supply-chain security were put forth in a keynote address by Matt Tait, chief operating officer at Corellium. Tait noted that supply-chain intrusions are completely appending the entire traditional mechanics from the attackers' perspective.

"Supply-chain intrusions are relatively straightforward; instead of targeting the system that you actually want to target, you target a system that's upstream from that system," Tait said.

The Scope of Supply-Chain Intrusions

Supply-chain attacks have had an enormous impact in 2021, though it could have been much worse.

In the case of the SolarWinds attack, Tait noted that SolarWinds has over 300,000 customers; of those, 33,000 were using the Orion platform that was attacked, and ultimately it was approximately 18,000 customers that got infected with the first stage of that attack.

In the case of the Kaseya ransomware attack, Tait observed that Kaseya has up to one million small businesses using their software, while only approximately 1,500 were infected by the attack.  As such, only  0.1% of Kaseya's actual customers ended up getting infected. However, while the infection numbers were only a small percentage, the real-world impact was significant.

"Supply-chain intrusions are not like other intrusions; we might like to think of them as just unusually big intrusions, but they're not—they're different," Tait emphasized.

With other types of attack, threat actors need to specifically identify a target. Tait noted that with supply-chain attacks, the target selection is easy, as it could potentially be all of the supplier's customers. Finding the attack surface for a supply-chain attack is also easy, in his opinion. With a supply-chain attack, the threat actors go after the supplier's update system, which will just automatically route the malware directly, often bypassing any cybersecurity defenses that the organization might have. Additionally, lateral movement across an organization is not a problem, because the supply-chain software often has agents that are running on all the client systems.

How to Fix Supply-Chain Risk

In Tait's view, the only way to tackle supply-chain intrusions at the scale that's needed is to fix the underlying technology, and this requires platform vendors to step in.

"Ultimately, the question that we're asking in supply-chain security is: Can we automate trust?" Tait said.

Tait noted that in the mobile space there is the concept of entitlements. He explained that with mobile entitlements, an app does not have any components running as root, and there is no system-wide permission.

"In the event that a supply-chain attack does compromise your app, it is only going to compromise the app; it's not going to compromise the entire phone," Tait said.

In the desktop world on Windows, entitlements are rarely, if ever, used. In Tait's view, there is a need to de-privilege Windows applications. He said that an entitlement gives the system a machine-readable understanding of what the app should be allowed to do. As such, Tait said, in the event of that app’s becoming compromised, the ability of malware inside that app to do things outside of the scope of the application becomes dramatically reduced.

While mobile devices provide entitlements, Tait noted, there is limited device observability, as the mobile operating system vendors do not generally allow full device forensics to operate. Tait wants both mobile and desktop vendors to step up and help provide the necessary visibility and controls to limit the risk of supply-chain attacks.

"Supply-chain infections can only be fixed by platform vendors; the government is not coming to save you," Tait said.

Categories: Cyber Risk News

Zoom Pays $85m to Settle Privacy Suit

Info Security - Wed, 08/04/2021 - 18:11
Zoom Pays $85m to Settle Privacy Suit

Video-conferencing company Zoom has agreed to improve its security practices and pay a fine of $85m to settle a legal challenge over privacy.

lawsuit alleged that Zoom Video Communications Inc., violated the rights of its users by failing to prevent zoombombing and by sharing their personal data with social networking sites Facebook, Google and LinkedIn. 

In March, Zoom asked the court to dismiss the motion. Then, on Saturday, the San Jose-based company filed a proposed settlement that now awaits the approval of California District Judge Lucy Koh. 

The settlement does not include any admission of wrongdoing. Under the preliminary deal, plaintiffs in the proposed class-action suit who were Zoom subscribers would be eligible to claim $25 or a 15% refund on their subscription. Other users would only be eligible to receive up to $15.

The plaintiffs’ lawyers claim that Zoom Meetings' paid subscribers generated $1.3bn in revenue for the company. Another hearing in the case is set for October.

Zoom said in a statement: “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. We are proud of the advancements we have made to our platform and look forward to continuing to innovate with privacy and security at the forefront.”

As part of the proposed settlement, Zoom agreed to bolster its security by providing its employees with training in data handling and privacy. The company also said it would alert users when Zoom meeting hosts or participants use third-party apps during a meeting. 

The class-action lawsuit, filed in March 2020 in the US District Court in the Northern District of California, is just one of multiple legal complaints that have been lodged against Zoom.

In another class-action lawsuit, Cullen v. Zoom Video Communications, Inc., California consumers accused the video-conferencing company of sharing their personal data with Facebook and other third parties without giving proper or adequate notice. 

The plaintiffs claimed that after they installed Zoom, the company gathered their personal information and later disclosed it without their consent to third parties.

Categories: Cyber Risk News

US Seeks Espionage Retrial for Chinese Researcher

Info Security - Wed, 08/04/2021 - 16:37
US Seeks Espionage Retrial for Chinese Researcher

Federal prosecutors in the United States are seeking to retry an engineering researcher accused of concealing his links to a university in China while working on a NASA contract. 

Dr. Anming Hu, who was born in the People's Republic of China (PRC), formerly worked at the University of Tennessee, Knoxville (UTK), as an associate professor in the Department of Mechanical, Aerospace and Biomedical Engineering. 

Hu was arrested in February 2020 on a federal indictment as part of the US Department of Justice China Initiative and charged with three counts of wire fraud and three counts of making false statements.

The indictment accused Hu of defrauding the National Aeronautics and Space Administration by concealing his affiliation with Beijing University of Technology while receiving research grants from the federal government. Under federal law, NASA is barred from using appropriated funds on projects in collaboration with China or Chinese universities.  

Prosecutors alleged that Hu made false representations and omissions to UTK about his links to the Beijing University of Technology, which caused the Tennessee academic institution to falsely certify to NASA that it was following federal law. 

In June 2021, after Hu's original trial ended in a hung jury, it was declared a mistrial by a federal judge. On July 30, the United States Department of Justice filed a notice of intent to seek a retrial of the former researcher. 

US representative Judy Chu, chair of the Congressional Asian Pacific American Caucus, said Hu was being targeted by prosecutors on account of his race.

"The case of Dr. Anming Hu is the most glaring example of how investigations rooted in racial profiling lead to flimsy cases that cannot stand up in court," said Chu.

"Worse, in order to justify this investigation, we know that FBI agents have falsified evidence."

John Yang, president and executive director of Asian Americans Advancing Justice, said Hu's trial had "exposed the deeply problematic investigations, surveillance and prosecutions of Asian Americans and Asian immigrants."

The Asian-American advocacy group APA Justice said: "What happened to Hu and his family is not an isolated event; it is part of systemic racial bias, discrimination, and profiling by our federal government."

Categories: Cyber Risk News

Personal Data Breach Reports Fall Despite Rising Attacks

Info Security - Wed, 08/04/2021 - 14:22
Personal Data Breach Reports Fall Despite Rising Attacks

Personal data breach reports to the UK’s Information Commissioner’s Office (ICO) fell by 20% in financial year 20/21 compared to 19/20. This is according to figures published in the ICO’s recent annual report, which were analyzed by the Parliament Street think tank.

The report revealed there were 9532 personal data breach reports in the most recent financial year (20/21), representing a significant drop from 11,854 reports made in 19/20.

This is despite a huge rise in cyber-attacks during the COVID-19 pandemic and organizations becoming more vulnerable to breaches following the shift to home working in that period. The ICO cited the pandemic and the introduction of mandatory breach reporting from sectors that handle large volumes of personal data as the primary factors in the fall in personal data breach reports.

The sector with the highest proportion (16.8%) of personal data breaches reported to the ICO in FY 20/21 was healthcare. This was followed by education and childcare (13.6%), retail and manufacturing (10.9%), finance insurance and credit (10.5%) and local government (8.8%).

Close to three-quarters (71.4%) of personal data breaches reported to the ICO led to no further action, while 21.6% were investigated further, although no further details on the outcomes of these cases were given.

In addition, 3.9% of breaches led to ‘informal’ action being taken, and just 0.1% led to formal action, which includes administrative punishment or a lower-tier fine.

Commenting on the figures, Chris Ross, SVP sales international for Barracuda Networks, said, “While the ICO has reported a surprising decline in personal data breach incidents this year, business owners and workers must not get complacent. Despite what the figures suggest, cyber-attacks targeting remote workers and businesses have increased in intensity over the last 18 months. This is particularly because more employees were working from home for the first time, and thus more sensitive data has been handled across email, cloud storage and personal devices than ever before, presenting a gold mine of opportunity for hackers.”

Categories: Cyber Risk News

Over 60 Million Americans Exposed Through Misconfigured Database

Info Security - Wed, 08/04/2021 - 14:15
Over 60 Million Americans Exposed Through Misconfigured Database

Security researchers have discovered an online database completely unsecured and exposed to the public internet, containing the personal details of at least 63 million Americans.

A team at vpnMentor led by Ran Locar and Noam Rotem found the Elasticsearch database wide open during a “routine research project.”

It soon traced the trove back to OneMoreLead, a B2B sales and marketing company which claims on its unfinished website to have a database of “40+ million 100% verified B2B prospects to search from.”

The database itself contained around 126 million records. Depending on the number of duplicates in there, the number of affected individuals could be anywhere between 63 million and 126 million, vpnMentor claimed.

Personally identifiable information (PII) featured in the trove included full names, job titles, personal email and home addresses, work email and office addresses, personal and work phone numbers, home IP addresses and employer names.

“The database contained detailed personal information about tens of millions of people — everything from their job title to their home IP address,” vpnMentor claimed.

“Cybercriminals could easily use this information to pursue financial fraud against everyone exposed. Simultaneously, they could use the information to build effective phishing campaigns, posing as a person’s employer, the government, and other trusted organizations.”

Many of the emails viewed by the research team had .gov suffixes, or indicated the individual as working for the New York Police Department.

“Private data from members of the government and police are a goldmine for criminal hackers — especially if a foreign government supports them,” vpnMentor claimed.

There are also question marks over where the information came from.

“The company is new, with no known clients and an unfinished website. So, it’s unlikely they collected data from 126 million people since opening in 2020 — unless the people behind OneMoreLead were working on a similar business previously,” vpnMentor claimed.

“Furthermore, the exposed data bears an uncanny resemblance to a leak originally connected German B2B marketing company Leadhunter in 2020. Leadhunter denied responsibility for the leak at the time, and researchers couldn’t confirm a link.”

The good news is that, when informed about the leak, OneMoreLead apparently secured the database the next day.

“Any leak like this could be easily avoided with some basic security measures taken including, securing servers, implementing proper access rule, and never leaving a system that doesn’t require authentication open to the internet,” vpnMentor said.

Categories: Cyber Risk News

MoD Boosts Cyber-Resilience with Ethical Hacker Project

Info Security - Wed, 08/04/2021 - 14:02
MoD Boosts Cyber-Resilience with Ethical Hacker Project

The UK’s Ministry of Defence (MoD) has just completed a 30-day bug bounty challenge which opened its systems to probing by ethical hackers.

Bug bounty programs are designed to challenge “white hat” hackers to find vulnerabilities which may otherwise be exploited by those with nefarious intent. These researchers are rewarded, whilst the organization running the exercises gains valuable visibility into possible security holes.

While such programs are popular in the private sector, governments have traditionally been more reluctant to open their IT systems to probing, given the national security implications.

This is the first initiative of its kind the MoD has run and it claimed the exercise had been “extremely valuable” in helping to find and remediate vulnerabilities across the department’s networks and 750,000 devices.

The MoD said it will continue to run bug bounty programs alongside other initiatives to boost cyber-resilience and share any relevant lessons learned with the government.

MoD CISO, Christine Maxwell, argued that the initiative is part of the department’s commitment to transparency and security-by-design principles.

“It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets,” she added.

“Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”

The project was run by US firm HackerOne, which has also contributed to the Hack the Pentagon initiative over the past few years. That vulnerability disclosure program was recently expanded to include all publicly accessible Department of Defense information systems, not just its websites and apps.

Categories: Cyber Risk News

US Senate: Seven out of Eight Agencies Are Failing on Cyber

Info Security - Wed, 08/04/2021 - 12:12
US Senate: Seven out of Eight Agencies Are Failing on Cyber

Seven out of eight key federal agencies have failed to meet the basic cybersecurity standards expected of them over the past decade, despite being warned by a Senate committee two years ago, according to a new bipartisan report.

The Committee on Homeland Security’s new reportFederal Cybersecurity, America’s Data Still at Risk, claimed seven agencies had made “minimal improvements” over the period, and only the Department of Homeland Security (DHS) “managed to employ an effective cybersecurity regime for 2020.”

These seven are the Departments of State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education and the Social Security Administration.

The report analyzed the audits of each departments’ inspectors general for fiscal 2020 and found “essentially the same failures as the prior ten years.”

These included: inadequate protection for personally identifiable information (PII); failure to maintain accurate IT asset inventories; failure to install timely patches; and use of legacy systems and applications.

The report claimed that even though the DHS came top with a “B” grade, it failed to apply patches for the past 12 years properly.

Other concerning findings included that the Department of Transportation had no record of over 14,000 of its IT assets, and the Department of Agriculture had no knowledge of a “significant number” of high severity bugs on its public-facing websites. The State Department could not provide documentation for 60% of employees with access to its classified network.

The findings come at a time when the US government is being regularly probed by state-backed attackers, especially from Russia and China. Notable recent campaigns include the Kremlin’s SolarWinds attacks, which compromised nine federal agencies, and the exploitation of vulnerabilities in Pulse Connect Secure, which enabled Beijing-backed operatives to infiltrate multiple agencies.

Burton Group founder and former Gartner executive, Jamie Lewis, said a mindset change had to take place among agency leadership.

“Government agencies can substantially enhance their security posture by improving their execution around basic security practices. These include streamlining the consistent and timely implementation of patches for known system vulnerabilities, increasing the security awareness of front-line employees, and creating better incident response programs,” he added.

“Government agencies must also limit the collection and use of personal information, which will reduce the risks they must manage.”

It’s hoped that President Biden’s recent executive order on cybersecurity will also force agencies to improve baseline security.

Categories: Cyber Risk News

Trump Sues Facebook, Google and Twitter

Info Security - Thu, 07/08/2021 - 21:45
Trump Sues Facebook, Google and Twitter

Former US president Donald Trump has filed lawsuits accusing three California-based tech giants of illegally censoring him.

On Wednesday, Trump filed proposed class-action lawsuits in the US District Court in Miami against Twitter, Facebook, Alphabet Inc’s Google (parent of YouTube) and their CEOs.

In the suits, Trump alleges that the social media platforms violated the right to freedom of speech guaranteed by the First Amendment of the US Constitution, and he calls for a court order to end the alleged censorship. 

The 45th president's access to the platforms was restricted after protestors forced their way into the Capitol building on January 6. 

Trump was among the tens of thousands of Twitter users whose accounts were permanently suspended after the unprecedented event. The company accused Trump of glorifying violence.

Facebook banned the once beloved reality TV star from its platform for a period of two years, while YouTube said in March that it is considering reinstating Trump's suspended account.

Commenting on tech companies' banning the former leader of the free world from social media, French finance minister Bruno Le Maire said that big tech was "one of the threats to democracy" and that “the regulation of digital giants cannot be done by the digital oligarchy itself.”

Eduardo Bolsonaro, son of Brazilian president Jair Bolsonaro, reflected that a world in which Venezuela’s authoritarian leader Nicolas Maduro is on social media, but Trump is suspended "cannot be normal."

While filing the suits on Wednesday, Trump called the legal action "a very beautiful development for our freedom of speech."

He said that he was requesting a court in Florida "to order an immediate halt to social media companies' illegal, shameful censorship of the American people."

In 2020, Trump signed an executive order on how Americans' First Amendment right to free speech should be applied to modern communications technology. In it, he described social media platforms as the "21st century equivalent of the public square" and accused them of "engaging in selective censorship that is harming our national discourse."

World leaders with active social media accounts include Russian president Vladimir Putin, who banned same-sex marriage, and Iran's leader, the grand ayatollah Ali Khamenei, whose regime was found guilty of committing gross human rights abuses, including the "systematic and widespread" murder of political opponents. 

Categories: Cyber Risk News

Trump Sues Facebook, Google and Twitter

Info Security - Thu, 07/08/2021 - 20:45
Trump Sues Facebook, Google and Twitter

Former US president Donald Trump has filed lawsuits accusing three California-based tech giants of illegally censoring him.

On Wednesday, Trump filed proposed class-action lawsuits in the US District Court in Miami against Twitter, Facebook, Alphabet Inc’s Google (parent of YouTube) and their CEOs.

In the suits, Trump alleges that the social media platforms violated the right to freedom of speech guaranteed by the First Amendment of the US Constitution, and he calls for a court order to end the alleged censorship. 

The 45th president's access to the platforms was restricted after protestors forced their way into the Capitol building on January 6. 

Trump was among the tens of thousands of Twitter users whose accounts were permanently suspended after the unprecedented event. The company accused Trump of glorifying violence.

Facebook banned the once beloved reality TV star from its platform for a period of two years, while YouTube said in March that it is considering reinstating Trump's suspended account.

Commenting on tech companies' banning the former leader of the free world from social media, French finance minister Bruno Le Maire said that big tech was "one of the threats to democracy" and that “the regulation of digital giants cannot be done by the digital oligarchy itself.”

Eduardo Bolsonaro, son of Brazilian president Jair Bolsonaro, reflected that a world in which Venezuela’s authoritarian leader Nicolas Maduro is on social media, but Trump is suspended "cannot be normal."

While filing the suits on Wednesday, Trump called the legal action "a very beautiful development for our freedom of speech."

He said that he was requesting a court in Florida "to order an immediate halt to social media companies' illegal, shameful censorship of the American people."

In 2020, Trump signed an executive order on how Americans' First Amendment right to free speech should be applied to modern communications technology. In it, he described social media platforms as the "21st century equivalent of the public square" and accused them of "engaging in selective censorship that is harming our national discourse."

World leaders with active social media accounts include Russian president Vladimir Putin, who banned same-sex marriage, and Iran's leader, the grand ayatollah Ali Khamenei, whose regime was found guilty of committing gross human rights abuses, including the "systematic and widespread" murder of political opponents. 

Categories: Cyber Risk News

Marvel Movie Malware Detected

Info Security - Thu, 07/08/2021 - 20:25
Marvel Movie Malware Detected

Cyber-scammers are exploiting public interest in the latest Marvel movie to spread malware infections. 

The eagerly anticipated premiere of Disney's Black Widow is scheduled to take place simultaneously offline in movie theaters and online via streaming services tomorrow. However, cyber-criminals have been illegally monetizing interest in the new flick for months, according to research by cybersecurity company Kaspersky.

To gauge the extent of scamming involving the release, Kaspersky experts analyzed malicious files impersonating the new Black Widow movie. They also investigated film-themed phishing websites that were designed to steal users’ credentials.

Researchers observed spikes in attempts to infect users that coincided with the dates on which the movie was announced and its launch dates. 

They found infection attempts increased significantly in the lead up to the film’s official announcement in May of 2020, as well as around its initial planned release dates of November 2020 and May 2021 that were pushed back by Covid-19 to July 2021. 

At two different points during the past year, infections attempts occurred on 13% of streams and downloads related to the Black Widow film.

Researchers found multiple phishing websites designed to steal movie lovers’ credentials. One site lured victims with the promise of an early preview of the film. Users were only shown a few minutes of the movie before being asked to register to watch the rest of it. 

During the registration process, users were asked to enter their bank card details to confirm their region of residence. Money was later debited from their card, and viewers were not given access to the full film. 

“Big movie releases have always been a source of entertainment but they are also an attractive lure for cyber-criminals to spread threats, phishing pages, and spam letters," commented Kaspersky security expert Anton V. Ivanov. 

"Right now, we have observed intensified scamming activities around Black Widow, the release of which, fans all over the world have been eagerly anticipating for a long time. In their excitement to watch the long-awaited movie, viewers have become inattentive to the sources they use, and this is exactly what fraudsters benefit from."

Categories: Cyber Risk News

Multi-Cloud Environments More Risky

Info Security - Thu, 07/08/2021 - 19:59
Multi-Cloud Environments More Risky

A new study has revealed that nearly all security professionals operating in a multi-cloud environment believe it's riskier than relying on a single cloud provider.

The research, published today by global security and compliance solutions provider Tripwire, is based on a June 2021 survey of 314 security professionals with direct responsibility for the security of public cloud infrastructure within their organization.

Nearly three quarters (73%) of those surveyed currently work in a multi-cloud environment. Of those, 98% said that depending on multiple cloud providers creates additional security challenges.

The findings follow the Biden administration's recent cancellation of the single-provider JEDI Cloud contract in favor of the multi-cloud/multi-vendor Joint Warfighter Cloud Capability (JWCC).

More than half of security professional (59%) have configuration standards for their public cloud, and over three quarters (78%) use best practice security frameworks. However, just 38% of framework users apply those frameworks consistently across their cloud environment. 

Keeping track of events is tough for the majority of professionals, with only 21% saying that they have a centralized view of their organization’s security posture and policy compliance across all cloud accounts. 

Another thorny issue for professionals was knowing where their responsibilities end and where those of their cloud service providers and customers begin. The major said that shared responsibility models for security were not always clear, and three quarters said that they rely on third-party tools or expertise to secure their cloud environment.

"We’ve seen a massive shift to cloud in response to the growing business need to manage more data and have greater accessibility,” said Tim Erlin, vice president of product management and strategy at Tripwire. 

“Given the growing complexity of systems and threats that come with moving to a cloud environment, and security policies that are unique to each provider, it makes sense that organizations are finding it increasingly difficult to secure the perimeter."

Another of the survey's key findings was that most organizations follow a high-risk strategy regarding cloud environment management, relying on existing security teams to complete training or self-teach. Only 9% of those surveyed said they would categorize their internal teams as experts.

Categories: Cyber Risk News