InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
A task force of more than 60 experts from industry, government, nonprofits and academia is urging the U.S. government and global allies to take immediate steps to stem a growing global crisis of cyberattacks in which hackers seize computer systems and data in exchange for a ransom.
The group, which issued a report today, says swift, coordinated action can disrupt and deter the growing threat of cyberattacks that use ransomware, a malicious software that locks up computer systems so that criminals can demand ransom in exchange for access.
“We’re seeing critical parts of the economy being hit by ransomware, including, for example, health care in particular,” says task force co-chair Megan Stifel, executive director of Americas at the Global Cyber Alliance. “When you start to see a broad scale of victims across multiple elements of the economy being hit there can ultimately, if not abated, be catastrophic consequences.”
We’re excited to announce the official release of ATT&CK for Containers! This release marks the culmination of a Center for Threat-Informed Defense (Center) research project sponsored by Citigroup, JPMorgan Chase, and Microsoft that investigated the viability of adding container-related techniques into ATT&CK. This investigation led to developing a draft of an ATT&CK for Containers matrix, which we contributed to ATT&CK. Our contribution was accepted and is now live in ATT&CK version 9.0! We want to give a special thank you to the community for all of your feedback and help in developing this content. Creating ATT&CK for Containers has been a fun journey for us, with a lot of new faces and names along the way. You’ll notice a lot of new contributors in ATT&CK with this release, which is in part a testament to how many folks helped us scope and create this new platform in ATT&CK!
After the horrific shooting in San Bernardino, California, federal law enforcement officers seized the now-dead suspect’s iPhone, and sought to examine it. However, the phone was “locked” using proprietary hardware and software from Apple. The government sought a court order (under the All Writs Act — an 18th century statute) compelling Apple to develop and implement a process to break their own security, and to provide to the FBI the unlocked and unencrypted contents of the iPhone.
After much legal wrangling, the FBI backed down. A recent report in the Washington Post indicates that the reason the FBI backed down is that they were able to turn to a “white hat” hacking company in Australia, Azimuth, to “jailbreak,” or unlock, the phone for them. Cool, cool. In fact, for the most part, that’s what is supposed to happen. Companies attempt to design and implement secure software, hardware, networks and applications, and governments (oh yeah, and hackers, too) attempt to find and exploit weaknesses in them. They put it on the bill, I tear up the bill. It’s very convenient.
It is certainly a more desirable outcome than requiring companies to deliberately crack or, even worse, weaken their security so that a government agency can bypass that security, or compelling the manufacturer or software developer to spend considerable development time and effort to undo its own security.
And that’s the problem with good security – when it works, it’s good. So, was it legal for Azimuth to jailbreak Apple’s devices, and then sell the jailbreak to a government agency? Magic 8 ball says, “Situation hazy; ask again later.” There are several statutes involved here. First and foremost is the Computer Fraud and Abuse Act (CFAA). The statute has many parts, but it makes it a federal crime to exceed authorization to access a computer and obtain information. Generally, to access a computer means to use it; to obtain information was supposed to mean to steal data, but it could also mean just to learn something. And, while a modern cell phone is certainly a “computer,” it is not clear that phone software, apart from the phone (or running on a virtual machine), is a “computer.”
But, assuming that the phone is somehow “accessed” and “information” (like a vulnerability) is “obtained,” we are left with trying to parse what it means to “exceed authorization.” That’s where we get into Apple’s terms of service and terms of use. You know, the hundreds of pages of license agreements you find if you go to Settings -> General -> About -> Legal and Regulatory -> Legal Notices -> License. You know, the stuff you always do when you use the phone, amirite?
You see, you don’t actually own your phone. Well, you kinda own part of it, but the software that makes it work is licensed to you by Apple and others subject to the software license agreement (SLA). Violate the SLA, and you are using (accessing) your own phone “in excess of authorization.”
For some time, the public cloud has actually been able to offer more protection than traditional on-site environments. Dedicated expert teams ensure that cloud servers, for example, maintain an optimal security posture against external threats.
But that level of security comes at a price. Those same extended teams increase insider exposure to private data—which leads to a higher risk of an insider data breach and can complicate compliance efforts.
Recent developments in data security technology—in chips, software, and the cloud infrastructure—are changing that. New security capabilities transform the public cloud into a trusted data-secure environment by effectively locking data access to insiders or external attackers
This eliminates the last security roadblock to full cloud migration for even the most sensitive data and applications. Leveraging this confidential cloud, organizations for the first time can now exclusively own their data, workloads, and applications—wherever they work.
Even some of the most security-conscious organizations in the world are now seeing the confidential cloud as the safest option for the storage, processing, and management of their data. The attraction to the confidential cloud is based on the promise of exclusive data control and hardware-grade minimization of data risk.
What is the confidential cloud?
Over the last year, there’s been a great deal of talk about confidential computing—including secure enclaves or TEEs (Trusted Execution Environments). These are now available in servers built on chips from Amazon Nitro Enclaves, Intel SGX (Software Guard Extensions), and AMD SEV (Secure Encrypted Virtualization).
Microsoft announced that Microsoft Defender for Endpoint, its commercial version of Windows 10 Defender antivirus, implements a new mechanism that leverages Intel’s Threat Detection Technology (TDT) to block cryptojacking malware using
Cryptojacking malware allows threat actors to secretly mine for cryptocurrency abusing computational resources of the infected devices.
The Intel TDT technology allows sharing heuristics and telemetry with security software that could use this data to detect the activity associated with a malicious code. Intel TDT leverages machine learning to analyze low-level hardware telemetry produced by the CPU performance monitoring unit (PMU) and uses it to detect the malware code execution “fingerprint” at runtime. TDT is currently implemented in Intel Core processors and any Intel CPU series that supports Intel vPro technologies, 6th Generation or later.
“Today, we are announcing the integration of Intel Threat Detection Technology (TDT) into Microsoft Defender for Endpoint, an addition that enhances the detection capability and protection against cryptojacking malware.” reads the announcement published by Microsoft. “TDT leverages a rich set of performance profiling events available in Intel SoCs (system-on-a-chip) to monitor and detect malware at their final execution point (the CPU). This happens irrespective of obfuscation techniques, including when malware hides within virtualized guests, without needing intrusive techniques like code injection or performing complex hypervisor introspection. TDT can further offload machine learning inference to the integrated graphics processing unit (GPU), enabling continuous monitoring with negligible overhead.”
When it comes to all the various types of malware out there, none has ever dominated the headlines quite as much as ransomware.
Sure, several individual malware outbreaks have turned into truly global stories over the years.
The LoveBugmass-mailing virus of 2000 springs to mind, which blasted itself into hundreds of millions of mailboxes within a few days; so does CodeRed in 2001, the truly fileless network worm that squeezed itself into a single network packet and spread worldwide literally within minutes.
There was Conficker, a globally widespread botnet attack from 2008 that was programmed to deliver an unknown warhead on April Fool’s Day, but never did. (Conficker remains a sort-of unsolved mystery: no one ever figured out what it was really for.)
And, there was Stuxnet, discovered in 2010 but probably secretively active for years before that, carefully orchestrated to spread via hand-carried USB drives in the hope of making it across security airgaps and into undislosed industrial plantrooms (allegedly Iran’s uranium enrichment facility at Natanz).
But none of these stories, as dramatic and as alarming as they were at the time, ever held the public’s attention as durably or as dramatically as ransomware has done since the early 2010s.
Spring is always a time of renewal, but never more so than this year. After our long winter of forced isolation, the increased accessibility of safe and effective vaccines has many looking forward to shutting off Zoom, putting on some real pants, and emerging to see friends and colleagues in person for the first time in more than a year. Normality, it seems, is just around the corner.
Yet the world has been irrevocably changed by the past year, and the businesses, schools, and other workplaces that we enter back into won’t be the same as the ones we left last March.
The pandemic accelerated long-standing trends in workplaces across sectors as companies quickly embraced remote work and stood up infrastructure to enable their employees to remain productive while working from home.
Today we are finding that many of these developments are pretty good—enabling employees to work and be productive from anywhere without the headaches of a commute or a noisy office. And so, as the economy begins to reopen, many are looking for ways to make these temporary solutions more permanent and merge them with more “traditional” forms of working to create a sort of hybrid work environment.
These new hybrid workplaces will create new opportunities for businesses and will allow us to create organizations that are more flexible, productive, and accessible than ever before. But they can also open up new avenues of uncertainty that could threaten every organization. And make no mistake—cybercriminals know this and are finding ways to take advantage of these vulnerabilities.
If you don’t have enough to worry about already, consider a world where AIs are hackers.
Hacking is as old as humanity. We are creative problem solvers. We exploit loopholes, manipulate systems, and strive for more influence, power, and wealth. To date, hacking has exclusively been a human activity. Not for long.
As I lay out in a report I just published, artificial intelligence will eventually find vulnerabilities in all sorts of social, economic, and political systems, and then exploit them at unprecedented speed, scale, and scope. After hacking humanity, AI systems will then hack other AI systems, and humans will be little more than collateral damage.
Okay, maybe this is a bit of hyperbole, but it requires no far-future science fiction technology. I’m not postulating an AI “singularity,” where the AI-learning feedback loop becomes so fast that it outstrips human understanding. I’m not assuming intelligent androids. I’m not assuming evil intent. Most of these hacks don’t even require major research breakthroughs in AI. They’re already happening. As AI gets more sophisticated, though, we often won’t even know it’s happening.
AIs don’t solve problems like humans do. They look at more types of solutions than us. They’ll go down complex paths that we haven’t considered. This can be an issue because of something called the explainability problem. Modern AI systems are essentially black boxes. Data goes in one end, and an answer comes out the other. It can be impossible to understand how the system reached its conclusion, even if you’re a programmer looking at the code.
In 2015, a research group fed an AI system called Deep Patient health and medical data from some 700,000 people, and tested whether it could predict diseases. It could, but Deep Patient provides no explanation for the basis of a diagnosis, and the researchers have no idea how it comes to its conclusions. A doctor either can either trust or ignore the computer, but that trust will remain blind.
Whether you’re a small business operating out of a single office or a global enterprise with a huge and distributed corporate network, not inspecting the encrypted traffic entering and leaving can be a costly mistake, as cybercriminals are increasingly using TLS (Transport Layer Security) in their attacks.
Case in point: in Q1 2020, 23 percent of malware detected by Sophos used TLS to disguise malicious communications. Only a year later, that percentage has nearly doubled (45%)!
TLS encryption: For better and for worse
The widespread use of TLS encryption prevents criminals to steal or tamper with sensitive data and to impersonate legitimate organizations online. Unfortunately, it can also allow malware to fly under the radar and hide from enterprise IT security teams and the tools they use.
“A large portion of the growth in overall TLS use by malware can be linked in part to the increased use of legitimate web and cloud services protected by TLS—such as Discord, Pastebin, Github and Google’s cloud services—as repositories for malware components, as destinations for stolen data, and even to send commands to botnets and other malware,” noted Sean Gallagher, Senior Threat Researcher at Sophos.
“It is also linked to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors deploying them.”
The company has also witnessed an increase in TLS use in manually deployed ransomware attacks, partly because the attackers use modular offensive tools (e.g., Metasploit, Cobalt Strike) that leverage HTTPS.
European law enforcement has conducted an operation aimed at performing a mass-sanitization of computers infected with the infamous Emotet Windows malware.
European law enforcement agencies automatically wiped the infamous Emotet malware from infected systems across the world as part of a mass sanitization operation.
Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action.
This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.
The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure.
The authorities started pushing out a 32-bit payload named “EmotetLoader.dll” to clean up the infected systems, the process was set to trigger itself automatically on April 25, 2021 as confirmed by researchers at Malwarebytes.
Today at 1:00 PM, our #Emotet-infected machine that had received the special law enforcement file triggered its uninstallation routine.
Connected medical devices are proving essential amidst today’s new normal, but their mainstream adoption has also brought security loopholes to the fore. Fragmented systems have given rise to information silos and unencrypted devices, with hackers increasingly targeting health organizations and hospitals as a result.
It is worth considering what cybersecurity leaders can do as data security shapes up to be the health industry’s next battlefront.
The story so far: Coronavirus and healthtech
Medical connected devices have become a cornerstone defense for patients and healthcare workers over the past 12 months. The ability for devices to supply socially distanced medical information at a time when personal space and health insight are needed most has resulted in their astronomical rise.
Smart devices have also played a key role in the fight against the pandemic. The integration of IoT devices with smart sensors and algorithms in the medical field, connected to an application via the cloud and other connected devices, have been very helpful in contact tracing.
Personal medical care and health data interoperability were already major hot topics in medicine before the pandemic, and now they are only growing with the expansion of medical connected devices. This is evident as a greater awareness and acceptance of newer technologies and higher spending on healthcare services is expected to see medical connected devices grow to $260 billion by 2027.
LONDON — Western countries risk losing control of technologies that are key to internet security and economic prosperity to nations like China and Russia if they don’t act to deal with the threat, one of the UK’s top spy chiefs warned Friday.
“Significant technology leadership is moving east” and causing a conflict of interests and values, Jeremy Fleming, director of government electronic surveillance agency GCHQ, said in a speech.
Singling out China as a particular threat, he said the country’s “size and technological weight means that it has the potential to control the global operating system.”
China is an early adopter of emerging technologies but it also has a “competing vision for the future of cyberspace,” and it’s playing an influential role in the debate around international rules and standards, he said.
He raised the possibility of countries with “illiberal values” like China building them into technical standards that the world ends up relying on, and using their state power to control and dominate technology markets, turning them into arenas of geopolitical competition.
Russian hacking and other nefarious online activity, meanwhile, poses the most acute threat to the UK but, like a smartphone app vulnerability, could be avoided.
China’s Foreign Ministry blasted the remarks, saying they were “totally groundless and unreasonable.”
“Western countries, such as the UK and US, are actually the true empires of hacking and tapping,” ministry spokesman Zhao Lijian said at a briefing in Beijing.
Left unchecked, foreign adversaries could threaten the design and freedom of the internet, Fleming said. He citied as examples the security for emerging technologies like “smart city” sensors used to manage services more efficiently or digital currencies, saying they could be hardwired for data collection or other intrusive capabilities that go against open and democratic societies.
Britain and other Western countries face “a moment of reckoning,” Fleming said.
“The rules are changing in ways not always controlled by government,” Fleming said in his speech at Imperial College London. “And without action it is increasingly clear that the key technologies on which we will rely for our future prosperity and security won’t be shaped and controlled by the West.”
Britain should not take its status as a cyber power for granted, and it should work on developing “sovereign technologies” such as high-speed quantum computing and cryptographic technology to protect sensitive information, Fleming said.
The importance of carrying out a careful risk and impact assessment in order to safeguard the security of the information and the data privacy.
In order to reduce as much as possible the vulnerabilities and programming errors that can affect not only the quality of the product itself but can also be exploited to launch increasingly sophisticated and growing computer attacks, it’s necessary to guarantee the protection parameters of computer security in terms of integrity, confidentiality and authentication both for the code of an application and for data management. Therefore, it’s essential to carry out a careful risk and impact assessment in order to safeguard the security of the information and the data privacy.
The project must be planned, following a common denominator for the whole software life cycle, to ensure the security requirements for the data, functions and programming language.
The reference model used in this discussion is, for simplicity’s sake, sequential, in which only after completing one phase does one move on to the next. However, it could be envisaged, for greater efficiency and flexibility, to revise and correct the various phases:
She alleges that TikTok is violating the GDPR (General Data Protection Regulation) by collecting excessive data and failing to explain what it’s used for.
Children’s data is subject to special protections under the GDPR, including the requirement that privacy policies must be written in a way that’s understandable to the service’s target audience.
Today I’m launching a legal claim against @tiktok_uk on behalf of millions of children whose data was illegally taken and transferred to unknown third parties for profit. Learn more about our fight to protect children's privacy @TikTokClaimUK for updates https://t.co/eSCxj4Jwqlpic.twitter.com/LBvNHq7Oth
Does it seem as if nearly every time you install an app, it wants you to register with your email or phone number? To add to that, these apps usually want loads of other sensitive information that they don’t need. This is because of desperate data collection attempts, as your personal information is like gold to the companies selling it (and those using it to manipulate you). Users e-mail addresses are also sold to spammers (and scammers) that will bombard you with spam and phishing e-mails.
Your online activity across many apps is tied to your email address and phone number, and it is used to build a profile on you. This is one of the reasons that you should not use your email address to sign up for multiple apps or services. However, adhering to that policy is difficult. Many of the major e-mail providers require you to enter your phone number (another detail used to link your activity across multiple online services), and they sell your data too.
Protecting Your E-mail Enhances Your Online Security
First: Your e-mail is half of your login credentials, and is used as the login across many websites. Your password is the second half, and password cracking is not a difficult feat.
If your e-mail address is leaked by a popular app or service — something that happens frequently, you are at risk of hackers using that e-mail to log into other services you use online. If hackers don’t have your password, they can hack your e-mail account and use that to request a password reset. E-mail-related hacks are among the most catastrophic because your inbox reveals all the apps and services you use online (including financial services like banking, exchanges, and PayPal).
What You Can Do
There are multiple ways to approach this problem, but the first should be restraint. Don’t give any app or company your e-mail address if you aren’t required to. If a company asks for your e-mail when it isn’t needed, you can decline or say that you don’t have an e-mail. Also, if you don’t want an app that is demanding your e-mail badly enough, just uninstall it.
If you have an iPhone or iPad, you can use the ‘Sign in with Apple’ option to register and select the option to hide your e-mail address when prompted. Apple will generate a fake e-mail address and forward messages from it to the real e-mail on your Apple account. This goes a long way towards protecting your online accounts from hackers and data miners.
Sign up for ProtonMail and Tutanota to get secure, end-to-end encrypted e-mail. Each of those providers will provide you with one e-mail address for free. I would recommend getting a paid account so that you can create multiple e-mail addresses and use one exclusively for your bank, and another exclusively for your PayPal to protect those financial accounts from hackers.
If you don’t want a paid account, then sign up for each of them with a different alias to get one free account from each of them (ensure that you abide by their terms of use). If you want a third, there is also Disroot. If you do decide to pay, you can use Bitcoin to avoid providing billing details (which contain your name and address) on ProtonMail.
Developers havediscovered a backdoor in the Codecov bash uploader. It’s been there for four months. We don’t know who put it there.
Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure,” the company warned.
Codecov’s Bash Uploader is also used in several uploaders — Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step — and the company says these uploaders were also impacted by the breach.
Despite thieves regularly finding ways to boost cars by exploiting vulnerabilities in modern keyless locking systems and researchers demonstrating how attackers could fiddle with car settings, the infotainment system, the break system, the steering system, and so on, we’re yet to witness actual safety attacks that resulted in hackers disabling brakes or turning the steering wheel.
One of the reasons must surely be that cybercriminals are generally after money and not that interested in harming people for the fun of it, but perhaps another is that it’s currently very difficult to prove that attacks like these happened.
“If an incident happens there is currently no entity that will investigate such a possibility. Even more so, in most cars there are no measures monitoring for such incidents. So if you try and succeed, no one will even know, not to mention launch an investigation,” notes Nathaniel Meron, Chief Product and Marketing Officer at C2A Security, a provider of automotive cybersecurity solutions.
And, though the IT networks of original equipment manufacturers (OEMs) have already been breached by ransomware gangs, vehicle owners are lucky that those criminals have not yet switched to in-vehicle networks attacks to “brick” cars and demand money.
If and when that happens and depending on the scale of the attacks, Meron recons that they could even bankrupt an OEM.
But while it’s difficult to say when this “grace period” might end, OEMs should accept as fact that one day it surely will, and they should use this time to work on defenses.
Lots of things that we rely on, and that are generally regarded as bringing value, convenience and benefit to our lives…
…can be used for harm as well as good.
Even the proverbial double-edged sword, which theoretically gave ancient warriors twice as much fighting power by having twice as much attack surface, turned out to be, well, a double-edged sword.
With no “safe edge” at the rear, a double-edged sword that was mishandled, or driven back by an assailant’s counter-attack, became a direct threat to the person wielding it instead of to their opponent.
Sadly, there are lots of metaphorically double-edged swords amidst modern technology.
And no IT technology feels quite as double-edged as encryption, the process of scrambling data securely in such a way that only the intended recipient can ever unscramble it later on.
Almost everything about encryption makes it feel as though it is both immeasurably useful and dispiritingly dangerous at the same time.
It’s been rough sailing for organisations in the past year or so. In addition to the ongoing challenges of COVID-19, there are the effects of Brexit, increasing public awareness of privacy rights and regulatory pressure to improve data protection practices.
The specific costs will depend on the sophistication of the attack and how well executed it was.
For example, a DDoS (distributed denial-of-service) attack could knock systems offline for a few hours, creating a frustrated workforce and unhappy customers – but otherwise the cost would be comparatively low.
By contrast, an attacker who infects an organisation’s systems with ransomware could cripple them for days or even weeks. The cost of recovery, not to mention the ransom payment (if the organisation pays up) could result in losses of several million pounds.
For an estimate of how much cyber security incidents cost, a Ponemon Institute study found that organisations spend $3.86 million (about £2.9 million) per incident.
However, it notes that organisations can cut this cost dramatically by addressing four key factors:
Incident detection
By implementing measures such as audit logs and forensics analysis, you will be able to spot breaches sooner and identify the full extent of the damage. The faster you do this, the less damage the attacker can cause.
Lost business
This relates to both the direct damage caused by the breach – such as system downtime preventing you from completing processes – as well as long-term damage, such as customer churn and reputational loss.
Organisations that are better equipped to continue operating while under attack will be able to reduce lost business.
Notification
This relates to the costs involved in disclosing incidents. For example, organisations may be required to contact affected data subjects, report the breach to their data protection authority and consult with outside experts.
Ex-post response
These are the costs associated with recompensing affected data subjects, as well as the legal ramifications of the incident. It includes credit monitoring services for victims, legal expenses, product discounts and regulatory fines.
Recognise, respond, recover
Navigating the cyber threat landscape has never been harder, but you will make life a lot easier by planning for disaster before it occurs.
The Cyber Security Breaches Survey 2021 found that directors and senior staff are placing a greater emphasis on data protection, but that doesn’t just mean preventing breaches. It also requires organizations to create processes to recognize, respond to and recover from incidents.
If the path to safety has been mapped out in advance, you can remain calm in the face of disaster and follow processes and policies that you have worked on and can trust.
If you’re looking for help creating that documentation, IT Governance can help steer you in the right direction. We offer a range of data protection and cyber security training, tools, software and consultancy services – all of which can be delivered remotely.
You may be particularly interested in our Business Continuity Pandemic Response Service, which is tailored to help you address cyber attacks and other disruptions while operating with a dispersed workforce.
Whether your workforce is cautious about returning to the office as lockdown ends or you’re offering staff the opportunity to work remotely on a permanent basis, we have you covered.
![Ten Commandments To Secure Your Iphone! (gavrielhani) by [Gavriel Hani]](https://m.media-amazon.com/images/I/41l95MQM2mL.jpg)
![Basic Email Security: Volume 14 in John R. Hines’ Computer Security for Mere Mortals, short documents that show how to have the most email security with the least effort by [John R. Hines]](https://m.media-amazon.com/images/I/41B8dvk4UyL.jpg)
