InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Google announced the completion of the $5.4 billion acquisition of threat intelligence firm Mandiant. The acquisition was announced in March 2022 by both companies:
“RESTON, Va., March 8, 2022 – Mandiant, Inc. (NASDAQ: MNDT) today announced that it has entered into a definitive agreement to be acquired by Google LLC for $23.00 per share in an all-cash transaction valued at approximately $5.4 billion, inclusive of Mandiant’s net cash.” reported the press release.
Mandiant is considered a leading cyber security firm, in 2013 FireEye acquired it, but FireEye separated Mandiant Solutions in 2021 as part of a $1.2 billion private equity transaction.
The cybersecurity firm will join Google Cloud, but despite the acquisition, Google will maintain the Mandiant brand.
Google is expanding its offer adding cybersecurity services to its portfolio, as part of this strategy the company also acquired the Israeli Israeli startup Siemplify which has developed a SOAR (security orchestration, automation and response) technology.
“Today we’re excited to share the next step in this journey with the completion of our acquisition of Mandiant, a leader in dynamic cyber defense, threat intelligence and incident response services. Mandiant shares our cybersecurity vision and will join Google Cloud to help organizations improve their threat, incident and exposure management.” reads the Google’s announcement.
“Combining Google Cloud’s existing security portfolio with Mandiant’s leading cyber threat intelligence will allow us to deliver a security operations suite to help enterprises globally stay protected at every stage of the security lifecycle. With the scale of Google’s data processing, novel analytics approaches with AI and machine learning, and a focus on eliminating entire classes of threats, Google Cloud and Mandiant will help organizations reinvent security to meet the requirements of our rapidly changing world.”
State of the Hack discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions.
HP Secure Erase; HP Sure Click; HP BIOSphere Gen6; HP Sure Admin; Hood Sensor Optional Kit; HP Client Security Manager Gen6; HP Sure Start Gen7; HP Sure Recover Gen4; HP Sure Sense Gen2; HP Sure Run Gen5[19,20,21,22,23,24,25,26,31]
Cobalt’s has announced a new offering, Agile Pentesting! With Agile Pentesting, conduct a pentest that has a targeted scope focused on a specific area of an asset, or a specific vulnerability across an asset. Agile Penesting is flexible in nature, and aligns pentesting to DevSecOps workflows in a way that’s friction-free.
Leverage Agile Pentesting to level up your security program for:
* New Release Testing: pentest a new release before or shortly after it reaches production
* Delta Testing: pentest for incremental improvements based on code differences since date or version
* Single OWASP Category Testing: pentest a single vulnerability or small subset of vulnerabilities across an asset to validate fixes
* Microservice Testing: pentest Kubernetes within AWS, Azure, or GCP, as well as hosted network devicesReady to ship code securely with Cobalt’s Agile Pentesting?
Ready to ship code securely with Cobalt’s Agile Pentesting?
Enter to Win a Free Cobalt Agile Pentest!Sometimes the best things in life actually are free! Click here to enter your information to be one of the three lucky winners to receive a free Agile Pentest from Cobalt, worth $6,600 in value! The drawing will take place on September 22nd.
ust as developers and security teams were getting ready to take a breather and fire up the BBQ for the holiday weekend, the U.S.’s most prestigious security agencies (NSA, CISA, and ODNI) dropped a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers.
My first reaction was that it’s great to see these agencies adding to the public discourse in these still heady days where we’re all sorting out software supply chain security best practices. This is an important voice in shaking out the still many requirements, frameworks, and best practices, and kudos to them for sharing some of their hard-fought lessons learned.
But I think it’s also important for developers at large to weigh what makes sense in the most extraordinarily sensitive national security environments, versus what makes sense for the average enterprise developer and security team.
Here’s what stuck out to me as the good, bad, and ugly implications of the report.
The good
There are some excellent, prescriptive recommendations in the report where these agencies are advocating specific frameworks like Supply chain Levels for Software Artifacts (SLSA, pronounced “salsa”) and Secure Software Development Framework (SSDF). The report mentions these frameworks 14 and 38 times, respectively, and for developers and security teams that realize they have a software supply chain security problem but don’t know where to start, now they have a clear path to take their first steps.
The upshot of these frameworks is they give developers clear guidance on (1) how to develop secure code, from design issues to organizational structure issues for more secure software; (2) build system integrity (making sure malicious code isn’t being injected in our build systems); and (3) what happens after software is built and how to operate systems security (vulnerability remediation, monitoring, those types of aspects).
I also think the report does an excellent job of emphasizing what software signing buys developers in terms of artifact security, and how by making the investment in signing and verifying at the start of the software development lifecycle, you can save yourself a lot of toil not having to worry about the security of the package managers further down the line.
The bad
The guide suggests that “all development systems must be restricted to development operations only” … and goes on to say “no other activity such as email should be conducted for business nor personal use.”
I can’t see a future where developers are told they can’t do Slack, email and web browsing on their dev machines, and here’s an example where what’s mandatory in air-gapped environments like the NSA don’t really map out to mainstream developer scenarios.
I also find that the SBOM guidance has great points, but also misses concrete threats and mitigation examples. Overall the industry continues to tell everyone to use SBOMs, but doesn’t really explain what to do with them or what the real benefits are. And while I like the guidance to compare SBOMs with software composition analysis (SCA) results, the reality is that today’s vulnerability scanners actually miss a lot of the transitive dependencies that make software supply chains an attractive threat surface in the first place.
The ugly
While open source is mentioned 31 times in the guide, it’s mostly superficial references, with no new recommendations. We all know most source code being used today is open source, and it has unique aspects for security – the report doesn’t pay any care to how to choose which open source projects to use, what to look for when deciding on a new dependency, approaches to scoring systems, or how to tell the security health of an OSS project.
There’s quite a bit of information overload. Half of the document explains what its contents are, and the other half presents a couple of frameworks and the intersections of those frameworks. I think what we’re going to see next is a tidal wave of security vendor product whitewashing, claiming to have the first capabilities conforming to these guidelines – but it’s important to remember that there is no accreditation process, and most of this will simply be marketing bluster.
What’s next
Software supply chain security is pretty unique – you’ve got a whole lot of different types of attacks that can target a lot of different points in the software lifecycle. You can’t just take one piece of security software, turn it on, and get protected from everything.
Guides and recommendations like this that come down from the most sophisticated organizations that have gone through the early paces give a lot of great clues for developers at large, and I hope the NSA/CSA/ODNI will continue to disclose this type of insight … even if it may require some decoding for what applies to more mainstream developer scenarios outside of the Pentagon.
August 2022 has been a lesson in being careful with whom you provide sensitive information. In a month that saw the former US president accused of misappropriating classified government documents, there were also a spate of malicious insiders compromising their employer’s systems.
Meanwhile, the bastion of password security, LastPass, announced that its systems had been breached – although the organisation is confident that customers’ details remain secure.
In total, we identified 112 publicly disclosed security incidents in August, resulting in 97,456,345 compromised records.
You can find the full list of incidents below, broken into their respective categories.
The role of the Chief Information Security Officer (CISO) is a relatively new senior-level executive position within most organizations, and is still evolving.
To find out how current CISOs landed in that role, their aspirations, the compensation they receive, and which risks they face and responsibilities they shoulder, analysts with international executive search firm Heidrick & Struggles have asked 327 CISOs (and CISOs in all but name) to participate in their 2022 Global CISO Survey.
The results of the survey revealed these main takeaways:
Who reports to CISOs and to whom do the CISOs report?
The main organizational functions that report to CISOs are SecOps (88%); governance, risk, and compliance (87%); penetration testing (87%); security architecture (86%); product and application security (79%); and business continuity planning or disaster recovery (79%).
CISOs mostly report to the CIO (38%); the CTO or senior engineering executive (15%); the COO or CAO (9%); the global CISO (8%); and the CEO (8%). But 88% of them also report to the company board and/or advisory committee.
CISO roles are often terminal
Most CISOs move laterally into their current role and the career path forward for CISOs is most often to another CISO role, the analysts found.
If they were not CISOs before – and 53% of them were! – they were mostly a deputy CISO, a regional or business unit CISO, and the senior information security executive in their organization.
Many CISOs aspire to be a board member next, but that ambition is unlikely to be realized. Even though cybersecurity experience is sorely needed on boards, many boards still frequently prefer board members with prior board experience, the analysts pointed out.
The Chief Security Officer (CSO) or the Chief Information Officer (CIO) roles are also coveted by many of the respondents.
Threats CISOs are facing and personal risks they are worried about
CISOs say ransomware attacks are the most significant cyber risk to their organization (67%), followed by insider threats (32%) and nation/state attacks (31%).
On a more personal note, CISOs are most worried about stress related to the role (59%) and burnout (48%), and much less about job loss as a result of a breach (25%) or being faced with personal financial accountability for a breach (11%).
“Our survey responses here tell a few different stories,” the analysts noted.
“One is that there is burnout and stress associated with this role, which should lead organizations to consider succession plans and/or retention strategies so that CISOs don’t make unnecessary exits. The second story is that CISOs feel relatively secure in their jobs—job loss as a result of a breach wasn’t the highest risk. That is, in part, because the best CISOs are able to command executive-level protections (D&O insurance coverage and severance, for example) that enable them to do their jobs unencumbered by the threat of career risk.”
CISO compensation keeps rising
“In the United States, reported median cash CISO compensation has risen to $584,000 this year, up from $509,000 last year and $473,000 in 2020. Median total compensation, including any annualized equity grants or long-term incentives, also increased, to $971,000 from $936,000,” the company found.
New CISOs, in particular, saw the highest rises in overall compensation – probably because talent to fill out the role is hard to find and organizations are competing fiercely to take hold of it.
In the UK, the median cash CISO compensation has risen to £318,000 this year, but there was a 14% drop in annual equity.
For those interested, Heidrick & Struggles’s report offers more granular insight on the various factors that impact CISO compensation in different geographical locations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 10 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a high-severity security flaw (
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
According to the US agency, Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation). An attacker can trigger the flaw to cause an out-of-bounds write and achieve code execution.
It is important to highlight that there are no security patches to fix this issue and that the impacted product is end-of-life.
CISA also added to the catalog a Sanbox Bypass Vulnerability, tracked as CVE-2021-31010 (CVSS score: 7.5), in Apple iOS, macOS, and watchOS.
“In affected versions of Apple iOS, macOS, and watchOS, a sandboxed process may be able to circumvent sandbox restrictions.” reads the advisory.
The other vulnerabilities added to the catalog are:
CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability
CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability
CyberWire Inc. (Author)Flash cybersecurity advisories from the US Government. These alerts provide timely technical and operational information, indicators of compromise, and mitigations for current major security threats, vulnerabilities, and exploits. These alerts have been edited and adapted for audio by The CyberWire as a public service.
As technology advances, so must our ability to use such technology ethically. The rise of AI (artificial intelligence) and big data raises concerns about data privacy and cyber security. ITG have combined their latest titles into one bundle, saving you 20% – ideal for bank holiday reading.
Digital Ethics Book Bundle Understand the growing social, ethical and security concerns of advancing technology with this new collection:
A survey of cybersecurity decision makers found 77 percent think the world is now in a perpetual state of cyberwarfare.
In addition, 82 percent believe geopolitics and cybersecurity are “intrinsically linked,” and two-thirds of polled organizations reported changing their security posture in response to the Russian invasion of Ukraine.
Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyberattack. Unfortunately, 63 percent of surveyed security leaders also believe that they’d never even know if a nation-state level actor pwned them.
The survey, organized by security shop Venafi, questioned 1,100 security leaders. Kevin Bocek, VP of security strategy and threat intelligence, said the results show cyberwarfare is here, and that it’s completely different to many would have imagined. “Any business can be damaged by nation-states,” he added.
According to Bocek, it’s been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, Bocek said, everyone is a target and there’s no military or government method for protecting everyone.
Nor is there going to be much financial redress available. Earlier this week Lloyd’s of London announced it would no longer recompense policy holders for certain nation-state attacks.
Late on Friday, Facebook agreed in principle to settle a US lawsuit seeking damages for letting third parties, including Cambridge Analytica, access the private data of users. The terms of the settlement have yet to be finalized.
Googlers uncover Charming email scraping tool
Researchers at Google’s Threat Analysis Group (TAG) have detailed email-stealing malware believed to be from Iranian APT Charming Kitten.
The tool, which TAG has dubbed Hyperscrape, is designed to siphon information from Gmail, Yahoo! and Outlook accounts. Hyperscrape runs locally on the infected Windows machine, and is able to iterate through the contents of a targeted inbox and individually download messages. To hide its tracks, it can, among other things, delete emails alerting users to possible intrusions.
Not to be confused with Rocket Kitten, another APT believed to be backed by Iran, Charming Kitten has been hijacking accounts, deploying malware, and using “novel techniques to conduct espionage aligned with the interests of the Iranian government” for years, TAG said.
In the case of Hyperscrape, it appears the tool is either rarely used, or still being worked on, as Google said it’s only seen fewer than two dozen instances of the software nasty, all located within Iran.
The malware is limited in terms of its ability to operate, too: it has to be installed locally on a victim’s machine and has dependencies that, if moved from its folder, will break its functionality. Additionally, Hyperscrape “requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired,” Google said.
While its use may be rare and its design somewhat restrictive, Hyperscrape is still dangerous malware that Google said it has written about to raise awareness. “We hope doing so will improve understanding of tactics and techniques that will enhance threat hunting capabilities and lead to stronger protections across the industry,” Google security engineer Ajax Bash wrote.
Security professionals can find the indicators of compromise data for Hyperscrape in Google’s report.
French agency may investigate Google – again
A French governmental agency that has twicefined Google over violations of data privacy regulations and the GDPR has been tipped off by the European Center for Digital Rights (NOYB) about another potential bad practice: dressing up adverts to look like normal email messages.
According to NOYB, Google makes ads appear in Gmail user’s inboxes that appear to be regular emails, which would be a direct violation of the EU’s ePrivacy directive, as folks may not have technically signed up or consented to see this stuff.
“When commercial emails are sent directly to users, they constitute direct marketing emails and are regulated under the ePrivacy directive,” NOYB said.
Because Google “successfully filters most external spam messages in a separate spam folder,” NOYB claims, when unsolicited messages end up in a user’s inbox it gives the impression it was something they actually signed up for, when that’s not the case.
“EU law already makes it quite clear: the use of email, for the purpose of direct marketing, requires user consent,” NOYB said, referencing an EU Court of Justice press release [PDF] from 2021 that outlines rules surrounding inbox advertising.
“It is quite simple. Spam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider,” said NOYB lawyer Romain Robert.
France’s Data Protection Authority (CNIL) has ruled in opposition to Google’s past behavior before. In February, Google was found to be breaching GDPR regulations by transmitting data to the US. Google has also been fined by the French Competition Authority for not paying French publishers when using their content.
NOYB said in its complaint [PDF] to CNIL that, because it accuses Google of violating the ePrivacy directive and not GDPR, the watchdog has no need to cooperate with, or wait for, the actions of other national data privacy authorities to decide to fine or otherwise penalize the American web giant.
Nobelium is back with a new post-compromise tool
Microsoft security researchers have described custom software being used by Nobelium, aka Cozy Bear aka the perpetrators of the SolarWinds attack, to maintain access to compromised Windows networks.
Dubbed MagicWeb by Redmond, this malicious Windows DLL, once installed by a high-privileged intruder on an Active Directory Federated Services (ADFS) server, can be used to ensure any user attempting to log in is accepted and authenticated. That’ll help attackers get back into a network if they somehow lose their initial access.
Microsoft noted that MagicWeb is similar to the FoggyWeb malware deployed in 2021, and added that “MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly.”
This isn’t a theoretical malware sample, either: Microsoft said it found a real-world example of MagicWeb in action during an incident response investigation. According to Microsoft, the attacker had admin access to the ADFS system, and replaced a legitimate DLL with the MagicWeb DLL, “causing malware to be loaded by ADFS instead of the legitimate binary.”
MagicWeb is a post-compromise malware that requires the attacker to already have privileged access to their target’s Windows systems. Microsoft recommends treating ADFS servers as top tier assets and protecting them just like one would a domain controller.
Additionally, Microsoft recommends domain administrators enable Inventory Certificate Issuance policies in PKI environments, use verbose event logging, and look out for Event ID 501, which indicates a MagicWeb infection.
Redmond said organizations can also avoid a MagicWeb infection by keeping an eye out for executable files located in the Global Assembly Cache (GAC) or ADFS directories that haven’t been signed by Microsoft, and adding AD FS and GAC directories to auditing scans.
Anti-cheat software hijacked for killing AV
It turns out role-playing game Genshin Impact’s anti-cheat software can be, and is being, used by miscreants to kill antivirus on victims’ Windows computers before mass-deploying ransomware across a network.
TrendMicro said it spotted mhyprot2.sys, the kernel-mode anti-cheat driver used by Genshin, being used kinda like a rootkit by intruders to turn off end-point protection on machines. The software is designed to kill off unwanted processes, such as cheat programs.
You don’t have to have the game installed on your PC to be at risk, as ransomware slingers can drop a copy of the driver on victims’ computers and use it from there.
It has the privileges, code signing, and features needed by extortionists to make their roll out of ransomware a cinch, we’re told. TrendMicro recommends keeping a look out for unexpected installations of the mhyprot2 driver, which should show up in the Windows Event Log, among other steps detailed in the link above. ®
From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data.
Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn’t received.
The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.
Cybersecurity agencies warn that despite networks being encrypted, victims shouldn’t pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.
Despite this, the unidentified organisation chose to pay the ransom after negotiating the payment down from half the original demand. But even though the company gave in to the extortion demands, the BlackMatter group still leaked the data a few weeks later – providing a lesson in why you should never trust cyber criminals.
Cybersecurity responders from Barracuda helped the victim isolate the infected systems, bring them back online, and restore them from backups.
Following an audit of the network, multi-factor authentication (MFA) was applied to accounts, suggesting that a lack of MFA was what helped the attackers gain and maintain access to accounts in the first place.
Researchers also warn that the number of recorded ransomware attacks against critical infrastructure has quadrupled over the course of the last year. However, the report suggests there are reasons for optimism.
“The good news is that in our analysis of highly publicized attacks, we saw fewer victims paying the ransom and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure,” it said.
In addition to applying MFA, organisations can take other actions to help secure their network against ransomware and cyberattacks, including setting up network segmentation, disabling macros to prevent attackers exploiting them in phishing emails, and ensuring backups are stored offline.
Find programming and software development online courses, created by experts to help you take your career to the next level.
Programming Online Courses
AWS Online Courses
You can choose the course based on your specific needs:
ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
If you have any questions, feel free to send us an email to info@deurainfosec.com
For a limited time only, ITG is offering bestselling implementation guides free with each toolkit purchase.*
All the pre-written policies and procedures you’ll ever need.
Written by our expert team of in-house consultants, who have been delivering cyber security and data privacy consultancy for years.
Reviewed throughout the year to ensure you’re always working from the most up-to-date documentation, in line with the latest guidance and standard revisions, including free upgrades.
Accessible on our Cloud-based platform, DocumentKits, so you can collaborate with team members, viewing, editing and downloading documents any time, anywhere.
Scammers are using cloud services to create and host web pages that can be used to lure victims into handing over their credentials
Criminals are slipping phishing emails past automated security scanners inside Amazon Web Services (AWS) to establish a launching pad for attacks.
Scammers have latched onto the ability for people to use an AWS service to build and host web pages using WordPress or their own custom code. From there they can send phishing messages carrying the AWS name into corporate emails systems to both get past scanners that typically would block suspicious messages and to add greater legitimacy to fool victims, according to email security vendor Avanan.
In a report this week, researchers with Avanan – acquired last year by cybersecurity company Check Point – outlined a phishing campaign that uses AWS and unusual syntax construction in the messages to get past scanners.
“Email services that use static Allow or Block Lists to determine if email content is safe or not are not immune to these attacks,” they wrote. “Essentially, these services will determine whether a website is safe or not. Amazon Web Services will always be marked as safe. It’s too big and too prevalent to block.”
Piggybacking on well-known brand names for phishing campaigns isn’t unusual. Avanan this year has documented such efforts leveraging QuickBooks, PayPal, and Google Docs to ensure messages land in an inbox.
Now the public cloud is a vehicle and using AWS makes sense. It is the largest public cloud player, owning a third of a global cloud infrastructure market that generated almost $55 billion in the second quarter, according to Synergy Research Group. Combined, AWS, Microsoft Azure, and Google Cloud account for 65 percent of the space.
“Attacks using public cloud is becoming my common for many reasons, in part because infrastructure is so transient, reputational systems cannot help. We can block bulletproof hosting providers but we can’t just block AWS,” John Bambenek, principal threat hunter at Netenrich, told The Register. “These services are cheap, easy to use, and can spin up and down services quickly. Public clouds are usually whitelisted, so IP reputation doesn’t work, and people are getting more and more used to services in public clouds so they don’t look as suspect.”
The trend will only grow, according to Davis McCarthy, principal security researcher at Valtix.
“As the enterprise embraces the multiple clouds, cybercriminals will have more options to choose from and abuse,” McCarthy told The Register. “Benefiting from the lack of visibility and the disjointed topology, attack surfaces will be difficult to fingerprint. Organizations will need to standardize on security across clouds and have the ability to consolidate visibility to ensure prevention and detection processes are implemented efficiently.”
Cybercriminals are “creating phishing pages on AWS using the site’s legitimacy to steal credentials,” Avanan researchers wrote. “Sending a link to this page via email is a way to bypass scanners and get users to hand over credentials.”
They pointed to a campaign where the cybercriminal sent a phishing message created and hosted on AWS telling recipients that their password was about to expire. The email came with a Microsoft logo and told the user to click on a button to either keep or change the password.
The use of AWS’ name isn’t the only tactic for getting past the scanners, according to the researchers. They also use unusual content in the email’s text to confuse scanners, they wrote. When the message in the example was opened, the text wasn’t related to the attack. Instead, it was written in Spanish that when translated talks about a price quote for an “earthquake monitoring system.”
When the user clicks on button, they’re taken to a fake password reset page that includes the domain name of the victim’s company and most of the fields populated. The user is asked only to type in their password. If that’s done, the scammers can steal the credentials.
“With an easy way into the inbox, plus a low lift from end-users, this type of attack can be quite successful for hackers,” the researchers wrote, who added that they notified Amazon of what they found.
Avanan researchers wrote that enterprise users need to hover over links to see the destination URL before clicking on it and look at the email content before clicking on it. Hank Schless, senior manager of security solutions at Lookout, told The Register that Secure web gateways (SWGs) can help identify risk behavior on the network beyond what typical scanners do. If part of a larger cloud security platform, administrators can implement more data protection tools to identify risk behavior, even if it’s coming from a legitimate source.
Automation also is key given the lack of in-house skills to run continuous monitoring, according to Ryan McCurdy, vice president of marketing at Bolster.
“Moreover, they do not have the relationships nor access to perform the takedowns, such as asking an internet service provider to take down a fake website, let alone have the access to underground forums and chat rooms, which is not something that can be acquired overnight,” McCurdy told The Register. “It’s critical that companies take a platform approach and leverage automation to detect, analyze, and take down fraudulent sites and content across the web, social media, app stores, and the dark web.”
(Reuters) – A team of hackers from two North American universities won the “Capture the Flag” championship, a contest seen as the “Olympics of hacking,” which draws together some of the world’s best in the field.
In the carpeted ballroom of one of the largest casinos in Las Vegas, the few dozen hackers competing in the challenge sat hunched over laptops from Friday through Sunday during the DEF CON security conference that hosts the event.
The winning team, called Maple Mallard Magistrates, included participants from Carnegie Mellon University, its alumni, and the University of British Columbia.
The contest involves breaking into custom-built software designed by the tournament organizers. Participants must not only find bugs in the program but also defend themselves from hacks coming from other competitors.
The hackers, mostly young men and women, included visitors from China, India, Taiwan, Japan and South Korea. Some worked for their respective governments, some for private firms and others were college students.
While their countries may be engaged in cyber espionage against one another, the DEF CON CTF contest allows elite hackers to come together in the spirit of sport.
The reward is not money, but prestige. “No other competition has the clout of this one,” said Giovanni Vigna, a participant who teaches at the University of California in Santa Barbara. “And everybody leaves politics at home.”
“You will easily find a participant here going to another who may be from a so-called enemy nation to say ‘you did an amazing job, an incredible hack.'”
The game has taken on new meaning in recent years as cybersecurity has been elevated as a national security priority by the United States, its allies and rivals. Over the last 10 years, the cybersecurity industry has boomed in value as hacking technology has evolved.
Winning the title is a lifelong badge of honor, said Aaditya Purani, a participant who works as an engineer at electric car maker Tesla Inc (TSLA.O).
This year’s contest was broadcast for the first time on YouTube, with accompanying live commentary in the style of televised sports.
DEF CON itself, which began as a meetup of a few hundred hackers in the late 1990s, was organized across four casinos this year and drew a crowd of more than 30,000, according to organizing staff.
On Saturday afternoon, participants at the “Capture the Flag” contest sat typing into their laptops as conference attendees streamed in and out of the room to watch. Some participants took their meals at the tables, munching on hamburgers and fries with their eyes fixed on screens.
Seungbeom Han, a systems engineer at Samsung Electronics, who was part of a South Korean team, said it was his first time at the contest and it had been an honor to qualify.
The competition was intense and sitting for eight hours a day at the chairs was not easy. They did take bathroom breaks, he said with a laugh, “but they are a waste of time.”
Reporting by Zeba Siddiqui in Las Vegas Editing by Matthew Lewis
South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.
South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.
The problem? Thames Water wasn’t breached.
Apparently, Clop got its UK water companies confused.
South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was “experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible.” It added there has been no disruption on service.
“This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers,” the water company said.
Meanwhile, Thames Water, the UK’s largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports.
“As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror.
While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group’s attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence.
“I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact,” Liebeg said. “And had Thames Water not done an investigation of the ‘proof of compromise,’ they may very well have decided to negotiate further. In both instances, each organization did their due diligence.”
It should be obvious why costs are on the rise; substantial disruption remains related to COVID-19, Russia’s invasion of Ukraine has disrupted supply chains and interest rates have been raised several times this year.
Clearly, then, rising costs are not simply a temporary issue that we must get through. We must instead carefully plan for how we will deal with increased costs on a permanent basis.
One apparent measure is to look at ways your organisation can cut costs. For better or worse, the most likely targets will be parts of the business that don’t contribute to a direct return on investment.
However, before you start slashing budgets, you should consider the full effects of your decisions.
Take cyber security for example. It’s already notoriously underfunded, with IT teams and other decision makers being forced to make do with limited resources.
According to a Kaspersky report, a quarter of UK companies admit underfunding cyber security even though 82% of respondents have suffered data breaches.
The risk of cyber security incidents is even higher in the summer months, when staff holidays mean that cyber security resources are even more stretched than usual.
These are worrying signs for organisations, and an economic downturn will only make cyber criminals more determined to make money – especially as they know their targets are focusing on cutting costs.
But it’s not just the immediate costs associated with cyber attacks and disruption that organisations should be worried about. There are also long-term effects, whether that’s lingering operational disruption, reputational damage or regulatory action.
Consider the ongoing problems that British Airways faced after it suffered a cyber attack in 2018. It took the airline more than two months to detect the breach, creating enduring difficulties and ultimately resulting in a £20 million fine.
The ICO (Information Commissioner’s Office), which investigated the incident, found that British Airways was processing a significant amount of personal data without adequate security measures in place, and had it addressed those vulnerabilities, it would have prevented the attack.
There were several measures that British Airways could have used to mitigate or prevent the damage, including:
Applying access controls to applications, data and tools to ensure individuals could only access information relevant to their job;
Performing penetration tests to spot weaknesses; and
Implementing multi-factor authentication.
In addition to the fine, British Airways settled a class action from as many as 16,000 claimants. The amount of the settlement remains confidential, but the cost of the payout was estimated to be as much as £2,000 per person.
Remarkably, the penalty and the class action represent a case of strikingly good fortune for British Airways. Had it come earlier, it would have been at the height of the COVID-19 pandemic when airlines were severely affected, and were it any later, it would have come during a period of massive inflation.
Failure to do so will result in unforeseen costs at a time when every precaution must be taken to reduce costs.
Invest today, secure tomorrow
It’s long been accepted that it’s a matter of ‘when’ rather than ‘if’ you will suffer a cyber attack. When you do, you’ll have to invest heavily in security solutions on top of having to paying remediation costs.
In times of uncertainty, you need your services to be as reliable as possible. The challenges your organisation will face in the coming months as a result of falling consumer confidence are enough to deal with without having to contend with cyber crime and its inevitable fallout.
Investing in effective cyber security measures will enable your organisation to make the most of its opportunities in straightened circumstances.
At the well-known DEF CON security shindig in Las Vegas, Nevada, last week, Mac cybersecurity researcher Patrick Wardle revealed a “get-root” elevation of privilege (EoP) bug in Zoom for Mac:
Dustin Childs and Brian Gorenc of ZDI take the opportunity at Black Hat USA to break down the many vulnerability disclosure issues making patch prioritization a nightmare scenario for many orgs.
BLACK HAT USA – Las Vegas – Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has become more difficult than ever before, thanks to context-lacking CVSS scores, muddy vendor advisories, and incomplete fixes that leave admins with a false sense of security.
ZDI has disclosed more than 10,000 vulnerabilities to vendors across the industry since 2005. Over the course of that time, ZDI communications manager Childs said that he’s noticed a disturbing trend, which is a decrease in patch quality and reduction of communications surrounding security updates.
“The real problem arises when vendors release faulty patches, or inaccurate and incomplete information about those patches that can cause enterprises to miscalculate their risk,” he noted. “Faulty patches can also be a boon to exploit writers, as ‘n-days’ are much easier to use than zero-days.”
