<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Wed, 25 Nov 2020 00:00:00 -0500 en-us info@decipher.sc (Amy Vazquez) Copyright 2020 3600 <![CDATA[Interpol Arrests Three in BEC Scam]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/interpol-arrests-three-in-bec-scam https://duo.com/decipher/interpol-arrests-three-in-bec-scam Wed, 25 Nov 2020 00:00:00 -0500

The Nigerian Police Force, in partnership with Interpol and Group-IB, has arrested three men suspected of being part of a cybercriminal gang that specialized in business-email-compromise scams.

Interpol tracked the activities of the TMT gang as part of Operation Falcon, a year-long investigation. Group-IB became involved in the operation as part of Project Gateway, an Interpol initiative which allows private partners to cooperate with Interpol and directly share threat data. Interpol's Cybercrime and Financial Crime units assisted the Nigerian Police Force, who made the actual arrests.

TMT is believed to have compromised at least 500,000 government and private sector companies in more than 150 countries, according to Group-IB.

TMT deploys mass phishing campaigns and relies on a range—26 or so—of public available spyware and remote access trojans to carry out its attacks. Malware in its arsenal include AgentTesla, Loki, AzoRult, Pony, NetWire, Spartan, NanoCore, and Remcos RATs, Interpol said.

“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” Interpol said.

The TMT group specializes in business email compromise (BEC) scams, where attackers pose as someone the victim knows to trick them into initiating money transfers or otherwise revealing confidential information. The suspects sent out fraudulent purchase orders and product inquiries as part of mass emailing campaigns designed to distribute popular malware variants. The gang also impersonated legitimate companies offering COVID-19 aid, Group-IB investigators said.

Group-IB researchers said the gang used well-known email marketing software such as Gammadyne Mailer and Turbo-Mailer to send out the phishing emails and used marketing platform MailChimp to track whether the recipient opened the message.

Some 50,000 victims have been identified so far around the world, including the United States, the United Kingdom, Singapore, Japan, and Nigeria. The gang is split in subgroups, and a number of the gang members are still at large.

“This group was running a well-established criminal business model,” said Craig Jones, Interpol’s cybercrime director. “From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits.”

BEC scams typically involve a fair amount of reconnaissance work beforehand, as attackers identify executives to impersonate and study their communication patterns. Attackers also investigate third-party relationships in order to understand the vendors the organization typically works with. The attackers are interested in everything, from vendor names to how the organization handles the billing system, in order to mount a convincing attack.

BEC scams are quite lucrative. The Anti-Phishing Working Group estimated the average wire-transfer loss from BEC attacks in the second quarter of 2020 was about $80,000. Nigeria and West Africa remain the top hotspots for BEC gangs, but a large Russian BEC gang called Cosmic Lynx has been responsible for more than 200 BEC campaigns against victims in 46 countries.

The FBI’s Internet Crime Complaint Center recorded 24,000 complaints, totalling $1.7 billion in losses, from BEC scams in 2019, and the true number of incidents is likely much higher since the IC3 figure reflects only on complaints received.

<![CDATA[VMware Warns of Critical Zero Day in Workspace One]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/vmware-warns-of-critical-zero-day-in-workspace-one https://duo.com/decipher/vmware-warns-of-critical-zero-day-in-workspace-one Tue, 24 Nov 2020 00:00:00 -0500

VMware has disclosed a critical command-injection vulnerability in several of its core products that can be used by an attacker with network access to essentially run arbitrary commands on the host operating system.

The bug affects Workspace One Acces, Access Connector, Identity Manager, and Identity Manager Connector, mainly running on Linux, but some Windows versions are affected as well. VMware does not have a patch available for the vulnerability (CVE-2020-4006), but has published a set of workarounds that limit the effects of the vulnerability. Although the flaw is considered critical, there are some mitigating factors that make exploitation somewhat more difficult, including the need for a valid password for the target account.

“VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a Command Injection Vulnerability in the administrative configurator,” the advisory says.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system.”

Workspace One is VMware’s all-in-one platform for application and identity management for enterprises. It runs on both Linux and Windows and includes a number of different modules and features. The command-injection vulnerability affects Access, Access Connector, and Identity Manager on Linux, andIdentity Manager Connector on both Windows and Linux. The workaround that VMware suggests requires a small configuration change to the appliance.

VMware did not provide an estimated date for the release of a patch for the vulnerability, so given the public knowledge of the details, implementing the workaround is key for enterprises running affected versions of the products.

<![CDATA[Europol Arrests Two for Running Malware Crypter Services]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/europol-arrests-two-for-running-malware-crypter-services https://duo.com/decipher/europol-arrests-two-for-running-malware-crypter-services Mon, 23 Nov 2020 00:00:00 -0500

European authorities have arrested two Romainian suspects for allegedly running two crypter services that helped cybercriminals encrypt malicious files to evade antimalware systems.

The arrests were part of a joint operation by Europol, the Romanian Police, the FBI, and other national police forces to target cybercrime services. The two crypter services the suspects allegedly operated are CyberSeal and Dataprotector, and officials say the suspects also ran a separate service called Cyberscan that would test encrypted malicious files against various antimalware software to ensure that they were not detected. The unnamed suspects advertised the various services on underground forums, charging up to $300, depending upon the length of the license.

Crypter services have been around for many years and are used by a wide variety of cybercriminals to prepare their malware to slip by security software. Generally, the services run malicious files through one or more encryption algorithms and then pass them back to the customer. In some cases, as with the Romanian suspects’ services, the buyer can pay extra to have the file tested against a menu of antimalware systems to ensure the crypting process was effective.

“At the same time, the developers promoted the services intensively in the online environment and on platforms dedicated to cybercrime, offering users even video tutorials on the functionalities of the services for modifying various malware files,” the Romanian Police said.

“Following the investigations, a total number of approximately 3000 malware files modified by using the illegal services CyberSeal and DataProtector could be identified, files used to launch cyber attacks on computer systems around the world, including Romania.”

As cybercrime has proliferated and evolved in the last decade, individuals and small groups have begun to gravitate toward specific skills and services, a kind of division of labor that enables criminals to focus on what they’re best at and outsource the rest. While APT groups have internal development teams, operators, QA groups, and intrusion teams, cybercriminals who are farther down the food chain don’t have all of those resources at their disposal, so they often buy what they need from others in the criminal underground.

As part of the operation that included the two arrests, law enforcement officials also took down the back end infrastructure used by the suspects in the United States, Romania, and Norway.

“Crypter services facilitate the spread and development of cyber attacks, thus becoming very dangerous and easy to use tools for both cybercriminals with experience and technical knowledge, but also for young people who are at the stage of experiments in the online environment,” the Romanian police said.

<![CDATA[FBI Guidance Evolves on Ransomware Payments]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/fbi-guidance-evolves-on-ransomware-payments https://duo.com/decipher/fbi-guidance-evolves-on-ransomware-payments Wed, 18 Nov 2020 00:00:00 -0500

The decision of whether to pay the money during a ransomware infection can be an incredibly complex one, especially for organizations that may not have complete backups or run critical systems that can not afford downtime. Law enforcement agencies for many years have told victims not to pay, and when the Department of the Treasury issued a warning last month that paying ransoms to sanctioned entities could result in penalties, that only added another layer of complexity.

The wording in that advisory from the Office of Foreign Asset Control, which handles economic and trade sanctions, is ominous. It warns that victims or intermediaries that pay or facilitate payments to people or entities that are subject to OFAC sanctions may face serious consequences.

“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” the advisory from Oct. 1 says.

That’s not a risk that many organizations would take on willingly in most circumstances, but enterprises faced with a ransomware attack that threatens the continuing operation of their business face a brutal choice: refuse to pay and risk considerable damage to the business, or pay and risk civil penalties. This dilemma is not lost on law enforcement officials who see both ends of the ransomware.

“Paying the ransom from our perspective is a bad idea. It fuels further criminal activity and it’s bad for society in the long run. The reason this continues to happen is it’s profitable. Our position has to be that we do not recommend paying the ransom. The FBI would be remiss in the execution of its law enforcement duties if it said anything else,” Herb Stapleton, cyber division section chief at the FBI, said during a panel discussion at the CyberNextDC conference Wednesday.

“That being said we aren’t so unrealistic that we don’t recognize the realistic position that puts businesses in, especially small and medium businesses.”

The FBI’s stance on ransomware payments has been evolving somewhat in the last year. In October 2019, the bureau issued revised guidance on ransomware attacks and how to react to them, including a section that acknowledged the difficult choice victim organizations face.

"The FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers," the section on paying the ransom in the updated guidance said.

“The FBI will continue to treat you as a victim even if you pay."

In addition to the ransom payment decision, victim organizations also need to decide whether to bring in law enforcement. It may seem like a no-brainer; you’re the victim of a crime, call the police. But ransomware isn’t that cut and dried, and in many cases security teams are not sure what immediate benefit they will get from involving the FBI or other law enforcement agencies. They may also be wary of bringing in the FBI if they’ve already paid the ransom, fearing potential sanctions. Stapleton said that while that complicates things, victim organizations should still contact law enforcement as soon as possible during a ransomware incident.

“The FBI will continue to treat you as a victim even if you pay,” he said.

“There has been a wrench thrown in the works by the OFAC advisory, but it doesn’t change our position. That’s something we’re going to have to grapple with going forward: How sure are we that the payment is going to a sanctioned entity?”

Stapleton also pointed to a section of the OFAC advisory that offers a potential lifeline to companies that work with law enforcement even if they pay a ransom to a sanctioned entity.

“OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome,” the advisory says.

Some of the most damaging ransomware attacks in recent months have targeted hospitals and other health care providers, as well as organizations working on COVID-19 vaccine research. Security experts and law enforcement officials have warned organizations in those sectors about the increase in ransomware activity and calling on agencies around the world to go after the groups behind the attacks, many of which are known to researchers and law enforcement alike.

“Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law. We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, said in a post last week.

<![CDATA[Public Exploits Give Attackers a Head Start]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/public-exploits-give-attackers-head-start https://duo.com/decipher/public-exploits-give-attackers-head-start Wed, 18 Nov 2020 00:00:00 -0500

Vulnerability management is often described as a race, where enterprise defenders try to patch vulnerabilities before they can be exploited, and attackers try to exploit the flaws while the systems are still vulnerable. The latest research from Kenna Security and Cyentia Institute found that attackers have a head start over defenders if the exploit code is available for a vulnerability before a patch is released. However, that didn’t mean that defenders didn’t benefit from having the code before a patch.

When exploit code is available “in the wild,” it gives attackers a 47-day head start on their attacks, Kenna and Cyentia said in the sixth volume of the Prioritization to Prediction report. Depending on whether exploit code was released first or a patch was released first, there were periods when attackers had the momentum to carry out their attacks and when defenders had the momentum to remediate their systems and defend against attacks. Over the 15-month study period, attackers had the upper hand for nine months, while defenders had the advantage for six months.

“[The] timing of exploit code release can shift the balance in favor of attackers or defenders,” said Ed Bellis, CTO of Kenna Security.

There were more than 17,000 CVEs published in 2019, but just 473 were actually exploited in the wild, the researchers found. This is consistent with earlier research from Kenna and Cyentia that found that a small subset of vulnerabilities get exploited in attacks. This volume focused on the 473 publicly exploited vulnerabilities to compare the timeline of exploit development with how vulnerabilities are managed. For the purpose of this research, exploit code considers attack code developed by the adversaries, as well as proof-of-concept code that may accompany a disclosure report and tests that allow defenders to determine if their systems are vulnerable.

The analysis—which drew on data compiled by Kenna Security from its various services and data collected by Fortinet’s security appliances—found that exploit code was already available for more than 50 percent of vulnerabilities (which were eventually exploited in the wild) by the time the CVEs were published. To balance things out, 80 percent of those CVEs were published at the same time the patches were released. While there is strong evidence that early disclosure of exploit code gives attackers an advantage, that doesn’t mean that defenders don’t benefit from having access to the exploit code before a patch.

One long-held assumption in security is that vulnerabilities are being exploited in the wild means everyone should consider themselves under attack. The perception is that the "probability of exploitation goes from 0 to 1 overnight," the researchers wrote. However, an exploit in the wild did not mean that attacks were “raging hog wild across the internet.”

Exploited in the wild does not mean widely exploited, Cyentia co-founder Jay Jacobs said. Just 6 percent of the vulnerabilities being exploited in the wild were found in attacks against more than 1 out of 100 organizations. Less than 1 percent were in attacks against 1 out of 3 organizations, which would be an example of a "spray and pray" attack, where adversaries launch indiscriminate attacks against a large pool of victims. About three-quarters of the publicly exploited CVEs were found in attacks against 1 in 11,000 organizations.

“Exploited in the wild does not necessarily mean you are exploited,” Bellis said.

How to Disclose?

That 47-day advantage makes it really tempting to argue that this is why disclosing vulnerabilities and developing proofs of concepts exploit code before a patch is released is irresponsible. But the data doesn’t quite go that far, Cyentia co-found Jay Jacobs said. It is possible that releasing a proof-of-concept makes it easier to detect that an attack is in progress, not that it makes it easier to launch an attack. Perhaps the attacks have already been in progress, but there was no way to detect it beforehand. Release of the code made it possible to detect, because the defenders now have a way to find the attacks.

The disclosure debate will continue, Jacobs said.

Understanding the Lifecycle

The analysis looked at the lifecycle of a vulnerability—when it was discovered, when a CVE was reserved, when the details of the vulnerability was published (as a CVE), when a patch was released, when the flaw could be detected by vulnerability scanners, and when it was exploited—and found that in most cases, there wasn’t a clear pattern. Just 16 percent of the CVEs followed this particular pattern of events. Sometimes the vulnerability was exploited in the wild before a patch was available. Sometimes the exploit code was available before the CVE was published. Sometimes, especially in the case of coordinated disclosure, all of these steps may happen on the same day, or within days of each other.

“There is no standard order of operations,” Bellis said.

As noted earlier, about 60 percent of vulnerabilities have a patch before the CVE is officially published. About 24 percent of the time, an exploit code was public before the patch was released. About 10 percent of the exploitations (the last step in the lifecycle) occurred before a patch was available.

Over 80 percent of vulnerabilities have a patch within a few days following the publication of CVE. Within two days of the patch being released, nearly 80 percent of vulnerabilities can be detected by scanners.

Companies are, for the most part, issuing patches when researchers point them out," Bellis wrote in the blog post. "[Defenders] know where the vulnerability exists across their assets and have the means (the patch) to begin remediating it.

<![CDATA[Congress Passes IoT Security Law]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/congress-passes-iot-security-law https://duo.com/decipher/congress-passes-iot-security-law Tue, 17 Nov 2020 00:00:00 -0500

Congress has unanimously passed the bipartisan IoT Cybersecurity Improvement Act, which would set minimum security requirements for developing, patching, and configuring Internet of Things.

The IoT Cybersecurity Improvement Act requires all IoT devices purchased by the government meet minimum security requirements, such as how vulnerabilities are patched. Under the new law, the National Institute of Standards and Technology would create the security standards for development, patching, and identity and configuration management of IoT. Government agencies are required to make sure all IoT purchases follow the NIST recommendations. Device vendors will also be required to have a formal process of how vulnerabilities would be reported.

The road for the bipartisan bill was a slow one, despite the fact that there was broad bipartisan support for the bill and it was not controversial at all. It was a bill that simply said that Internet devices should be secure and meet some standards. The bill was first introduced in 2017 and reintroduced in 2019. The House of Representatives unanimously passed the bill back in September. The bill passed the Senate, also unanimously, and now needs to be signed into law by the president.

The legislation was supported by Sen. Mark Warner (D-Va.) and outgoing Sen. Cory Gardner (R-Colo), as well as Reps. Will Hurd (R-Tex.) and Robin Kelly (D-Ill.). It also has industry backing from major security cand technology companies. The Senators, Representatives, and their staff “deserve special credit for years of work on this important legislation, as well as,” Harley Lorenz Geiger, director of public policy at Rapid7, wrote on Twitter. “Passing a not-uncontroversial bill is a feat even without an election, a pandemic, and heightened partisanship. Kudos!”

The IoT Cybersecurity Improvement Act has several key provisions. Along with requiring NIST to issue standards-based guidelines for devices owned or controlled by the federal government, the law specifies that federal acquisition rules must be updated to reflect the security standard and guidelines. Federal agencies cannot procure, obtain, or renew contracts for devices that cannot meet these guidelines. The Office of Management and Budget will also be issuing rules requiring federal civilian agencies to have information security policies consistent with NIST guidelines.

One of the sections also focuses on federal agencies implementing a vulnerability disclosure policy, a requirement that extends to contractors providing information systems to agencies. This will be particularly important since this will guide both the public and private sector on how to disclose vulnerabilities in these devices, and potentially encourage more public coordination.

While there has been some efforts within different parts of the federal government to carve out basic security requirements for IoT, this law is the first substantial government action, to date. Some federal agencies have required devices within their scope to have some level of security, such as the Food and Drug Administration issuing regulations for medical devices, but most of the leadership has been on the state level (California and Oregon) or internationally (the United Kingdom).

Once the bill is signed into law, the United States can claim a leadership position on IoT security “at a time when most bold IoT security initiatives seem to emanate from US states and non-US countries,” Geiger said.

The bill applies only to IoT used in federal networks and not broadly across every internet-enabled device. The responsibility for secure and trustworthy IoT lies ultimately with the manufacturers, so they can choose not to follow the NIST recommendations and still be able to sell outside the federal government. While that seems like the law would have a limited impact, setting government standards is actually a good way to get the broader marketplace to follow because it is setting an example.

Consumers can demand better security—they may not know exactly what they are getting, but the fact that some devices are more secure than others will drive their purchasing decisions. It’s a little similar to how consumers may look for the phrase “military-grade encryption” in their devices, because it sounds more secure.

Without consumer pressure, “it’s unlikely we’ll see the level of action required to turn the IoT security tides across the board,” Geiger wrote for Rapid7 back in September after the House passed its version of the bill.

The Cybersecurity Solarium Commission made more than 75 recommendations on how the executive and legislative branches of government could overhaul its cybersecurity strategy, and the security of Internet-enabled devices was one of the things it focused on. Since the report was released earlier this year, the commission has continued to make other recommendations for elevating the security of all IoT devices—not just in federal government—such as unique authentication by default, which would require IoT devices to have new identification once plugged into a network.

“The U.S. government is setting the tone from the top, and until guidelines or formal regulations are implemented at an end user level, it’s a shared responsibility to be smart when it comes to IoT usage,” Geiger said.

<![CDATA[Firefox Adds HTTPS-Only Mode]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/firefox-adds-https-only-mode https://duo.com/decipher/firefox-adds-https-only-mode Tue, 17 Nov 2020 00:00:00 -0500

With its newest release, Firefox is adding a feature called HTTPS-Only that will automatically switch any plaintext HTTP connections to secure ones, making it simpler for users to endure that they’re connections aren’t being monitored.

The new setting is similar to one that Google Chrome has that makes HTTPS the default connection mode in the browser. Mozilla’s change comes in Firefox 83, which the company rolled out on Tuesday. Enabling the setting is just a matter of going into the Privacy and Security section in Settings and choosing the option.

Although a significant portion of websites offer HTTPS as a connection option, some sites still support HTTP connections. So if a user manually types the URL into the address bar using HTTP as the prefix, those servers will use the insecure protocol for the connection. Those connections can be monitored passively by any adversary on the network. Enforcing the use of HTTPS at the browser level helps prevent users from hitting those HTTP sites, whether accidentally or intentionally.

“Once HTTPS-Only Mode is turned on, you can browse the web as you always do, with confidence that Firefox will upgrade web connections to be secure whenever possible, and keep you safe by default. For the small number of websites that don’t yet support HTTPS, Firefox will display an error message that explains the security risk and asks you whether or not you want to connect to the website using HTTP,” Mozilla said.

“It also can happen, rarely, that a website itself is available over HTTPS but resources within the website, such as images or videos, are not available over HTTPS. Consequently, some web pages may not look right or might malfunction. In that case, you can temporarily disable HTTPS-Only Mode for that site by clicking the lock icon in the address bar.”

Virtually every legitimate site that allows users to enter sensitive information such as credit card data, bank information, or health information, employs HTTPS, and it’s ubiquitous on content sites, shopping sites, and most of the rest of the web. But there are still some corners of the web where HTTP is hanging on, and there also are old links in many places that point to HTTP versions of websites. The HTTPS-Only mode, like the one in Chrome, addresses that problem by switching to an HTTPS connection if the destination server supports it.

<![CDATA[Civil Liberties Groups Decry Calls for Encryption Backdoors]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/civil-liberties-groups-decry-calls-for-encryption-backdoors https://duo.com/decipher/civil-liberties-groups-decry-calls-for-encryption-backdoors Mon, 16 Nov 2020 00:00:00 -0500

A group of 14 civil liberties organizations from the United States and Europe is raising the alarm about recent calls from government agencies for access to encrypted communications, saying those efforts would not have a measurable effect on crime and would cripple vital security systems for millions of people.

The International Network of Civil Liberties Organizations on Monday issued a statement that echoes concerns from many similar groups about efforts by the Department of Justice, Council of the European Union, and the European Commission to weaken encrypted communication systems and apps in order to provide access for law enforcement agencies. This has been a consistent drumbeat from legislators and law enforcement agencies both in the U.S. and Europe for many years, but the calls for encryption backdoors have been growing louder and more frequent as secure messaging apps have proliferated and become the go-to communication mechanism for many people. Apps such as Signal, WhatsApp, and Telegram have drawn the ire of regulators and law enforcement agencies in many countries recently for not providing a capability for law enforcement to access users’ messages.

Last month, officials from justice agencies in the U.S., UK, India, Australia, and Japan released a joint statement calling on technology providers to give law enforcement “access to content in a readable and usable format” when a warrant or other legal authorization is issued.

“Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content,” the statement said.

"Any weakening of that encryption, no matter how well intentioned, will weaken security."

There are also several proposed bills in Congress right now that would affect the use of strong encryption and the ability of platform and app providers to build it into their products. The INCLO statement, which was signed by 14 of the 15 member organizations including the American Civil Liberties Union, the irish Council for Civil Liberties, and the Canadian Civil Liberties Association, warns that weakening encryption will have myriad unintended consequences.

“So many of our online activities involve the transmission of highly sensitive data that is currently protected by strong encryption. Any weakening of that encryption, no matter how well intentioned, will weaken security around these activities; increase the chance of that encrypted data being accessed by malicious third parties; increase well-founded fears of fraud and identity theft; and likely breed distrust,” the statement says.

“INCLO calls on authorities to protect E2EE and safeguard the privacy and innumerable daily security benefits and uses of encryption by people around the world.”

Many of the proposals to grant law enforcement some sort of access to encrypted communications involve technology providers and app developers holding encryption keys for users’ sessions so they can provide plaintext when law enforcement presents a warrant or court order. Others call for a vague technology to be embedded in devices or apps in order to grant access. None of these proposals has been received positively by the major technology providers, and vendors such as Apple and Google have been going in the opposite direction, adding encryption to more of their products and services and speaking out publicly against encryption backdoors. If anything, that trend is likely to grow stronger as user demand for encrypted services grows.

<![CDATA[Security Leaders Uneasy CISA Chief May be Fired]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/security-leaders-uneasy-cisa-chief-may-be-fired https://duo.com/decipher/security-leaders-uneasy-cisa-chief-may-be-fired Mon, 16 Nov 2020 00:00:00 -0500

Updated Nov. 18: In a clearly political move, Christopher Krebs was removed from his post for continuing to insist the elections had been secure. "The dismissal of Christopher Krebs as Director of the Cybersecurity and Infrastructure Security Agency is political, surreal, and disheartening," said Chloe Messdaghi, vice-president of strategy at Point3 Security. "Many in the cybersecurity community are deeply disappointed and more than a bit nervous."

"CISA's role was to be the organization that works closely with all stakeholders-industry, public sector and the American people-and to help keep the US ahead of cybersecurity threats, both those in the form of attacks and of misinformation campaigns," Messdaghi said.

Original story:

The Cybersecurity and Infrastructure Security Agency’s role goes beyond national security and securing elections. Any shakeup at CISA’s leadership level would affect the work the agency has been doing with privacy sector organizations.

Rumors have been rampant over the past few days that Christopher Krebs will be ousted as CISA’s top official—Reuters reported Krebs expects to be fired. Several key figures at the Department of Defense resigned shortly after Secretary of Defense Mark Esper was fired. (Heads have also rolled at the U.S. Agency for International Development, the Energy Department and the National Oceanic and Atmospheric Administration—a climate change denier is now in charge of NOAA’s US Global Change Research Program.) Bryan Ware, CISA’s Assistant Director for Cybersecurity and a Krebs deputy, resigned from his post but declined to discuss the terms of his departure.

“I’m very proud of the work that CISA has done this year,” Ware told Cyberscoop. Ware also noted that CISA played a role in the country’s pandemic response by working closely with healthcare organizations, pharmaceutical companies, medical research institutions and universities to protect them from cyberattacks targeting research and other work related to the novel coronavirus. “We leaned into protecting the nation’s COVID response.”

Along with election security—“The November 3rd election was the most secure in American history”—and pandemic response, CISA has pushed forward on other key areas, including supply chain, information sharing and threat hunting, and 5G. The agency was established two years ago with the Cybersecurity and Infrastructure Security Agency Act of 2018, which reorganized the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency, to “build the national capacity to defend against cyber attacks.”

CISA has substantially raised awareness of third party risks, especially through the dedicated task force focused on supply-chain issues, said Chloé Messdaghi, vice-president of strategy at Point3 Security. “He’s [Krebs] helped educate companies that they’re only as secure as is the weakest link in their supply chain, and he’s continuously urged companies to evaluate the security and risk management of their vendors.”

CISA also provides “trusted communications channels” to talk about vulnerabilities and security threats. Pandemic response is just one example. CISA issues binding operational directives, which are rules federal agencies have to comply with, such as deploying security updates or changing a security configuration to make networks more secure. These directives are mandatory only for government agencies, not private sector organizaitons, but they set the tone. When CISA issued a binding operational directive ordering patching for a Microsoft flaw, it hightlighted how important this was.

“CISA has provided unified emergency communication around cybersecurity and national risk management issues, and has helped unify and structure communications around these issues from the myriad of US intelligence agencies such as the FBI, NSA and CIA,” Messdaghi said.

Any kind of personnel move is tricky during times of transition—there is a lot of institutional knowledge to pass on and it is reassuring to have new and previous leaders work together to avoid interruptions to day-to-day operations. It is similar to why executives may be asked to stay on after an acquisition. Changes in leadership of an agency tasked with securing the country’s critical infrastructure will heighten the government’s vulnerability, and potentially disrupt the security of private sector organizations, as well.

<![CDATA[Google Patches Two More Chrome Zero Days Used by Attackers]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/google-patches-two-more-chrome-zero-days-used-by-attackers https://duo.com/decipher/google-patches-two-more-chrome-zero-days-used-by-attackers Fri, 13 Nov 2020 00:00:00 -0500

Google on Wednesday patched two high-severity vulnerabilities in Chrome that the company says are in use by attackers.

The two flaws are the only ones fixed in the latest Chrome update, but given the existence of known exploits for them both, it should be a high priority update for enterprises. One of the vulnerabilities is an implementation flaw in V8, the JavaScript engine in Chrome, and the other bug is a use-after-free in site isolation.

Google did not release any of the details about either vulnerability, as is typical for most of the bugs it patches in Chrome. Both flaws were reported to Google last week by an anonymous researcher and Google released updated versions of Chrome for Windows, Mac, and Linux Wednesday.

This is the third time in less than a month that Google has pushed out an update in Chrome to address vulnerabilities that were under active exploitation. In late October, Google’s Project Zero identified a vulnerability in the FreeType font-rendering engine that’s used in Chrome and many other applications. That vulnerability is a heap buffer overflow and Google’s researchers found that attackers were already exploiting it.

“I've just fixed a heap buffer overflow that can happen for some malformed .ttf files with PNG sbit glyphs. It seems that this vulnerability gets already actively used in the wild, so I ask all users to apply the corresponding commit as soon as possible,” Werner Lemberg, one of the original authors of the FreeType, said in an email to the FreeType announcement mailing list.

Then, a couple weeks later on Nov. 2 Google released another update for Chrome that fixed a separate implementation flaw in V8 that was also being actively exploited. That bug was also discovered by Project Zero, as was a zero day for Chrome on Android that attackers were exploiting.

<![CDATA[Deciphering Johnny Mnemonic]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/deciphering-johnny-mnemonic https://duo.com/decipher/deciphering-johnny-mnemonic Thu, 12 Nov 2020 00:00:00 -0500

<![CDATA[Security Incidents Affect Victims Differently, Even the Mega-Breaches]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/security-incidents-affect-victims-differently-even-with-mega-breaches https://duo.com/decipher/security-incidents-affect-victims-differently-even-with-mega-breaches Tue, 10 Nov 2020 00:00:00 -0500

The latest Cyentia Institute research shows that even the most costliest mega-breaches or crippling sophisticated nation-state attacks don't impact victims equally. And even if most organizations won't experience these types of catastrophic security incidents, understanding the factors that led to them and the outsized impact they have on victims is a valuable lesson to learn.

Back in March, the data scientists at Cyentia Institute analyzed a dataset spanning tens of thousands of security events over the last decade provided by insurance data provider Advisen to understand the frequency and financial impact of security incidents. The Information Risk Insights Study (IRIS) found that financial losses as a result of a security incident typically ran about $200,000, but 10 percent of the breaches exceeded $20 million in losses. IRIS found differences other than financial losses between “typical” and “extreme” events. The IRIS 20/20 Xtreme report followed up on that research by narrowing the focus just the “extreme” events in the last five years.

“Our primary goal remains the same as the IRIS 20/20—to clear the fog of fear, uncertainty and doubt (FUD) surrounding cyber risk and help managers see their way to better data-driven decisions,” Cyentia Institute wrote in the report.

Just 103 incidents truly fit the definition of an extreme event, which the Cyentia team defined as the number of records exposed—at least 20 million records—and total financial losses—at least $20 million. Both cut-off points came from the original IRIS research. Just 0.5 percent of incidents in the IRIS dataset involved that many records, and 10 percent cost organizations that much. IRIS Xtreme focused on 56 security incidents over the last five years with “publicly discoverable losses of or above $20 million” and 47 incidents where at least 20 million records were exposed.

Taken in aggregate, these events totalled $18 billion in reported losses and resulted in 10 billion compromised records. Loss includes expenses incurred during response and remediation, losses associated with lost productivity, and fines and judgements after the incident. In one incident, the researchers included the impact of a cancelled IPO, which was an example of “softer opportunity costs that also need to be considered.” The median loss among “extreme” incidents in IRIS Xtreme was $47 million, with just over one-in-four exceeding $100 million, Cyentia Institute said. Five organizations—Facebook, Merck, FedEx, Equifax, and Experian—experienced incidents with $1 billion or more in losses.

Per the Wall Street Journal, both Merck and FedEx were hit by the 2017 NotPetya ransomware attack. Cyentia found that NotPetya alone accounted for 75 percent of all the extreme events in its dataset from mid-2017.

By collecting additional data points associated with these events, Cyentia was able to break down the costs, categorize incident types, identify actors and the actions they took, and understand how these events impacted the victim organizations.

It sometimes feels like the attacks are getting more destructive over time, and there is some evidence that extreme events grew more common between 2015 and 2020 in the data, but not yet enough to say so conclusively. The data doesn’t suggest that extreme events are becoming more costly over time, although that may change as regulators start enforcing their rules and applying larger fines, such as under General Data Protection Regulation (GDPR).

Impact is Not Equal

Even among these extreme incidents, there were some outliers. For some, they were devastating, costing nearly 100 times the organization’s annual revenue, and for others, the impact was easier to shrug off, costing less than 0.1 percent. The researchers found a “clean 70/30 split” in the data, with 70 percent of the incidents had losses amounting to 10 percent or less of annual revenue. The “unlucky” 14 percent experienced costs exceeding annual revenue.

The Fortune 1000 may be writing a larger check, but the SMB is the one that is going to be hurting.

The original IRIS analysis found that larger organizations—the Fortune 1000—would be likely to have higher losses in terms of actual dollars compared to smaller organizations, but the larger organizations would have the financial cushion to absorb the loss. The disproportionate impact on the SMB—those with less than $50 million in annual revenue— was even more stark in IRIS Xtreme.

“Major cyber loss events cause far greater relative harm to small and medium-sized businesses (SMBs) than larger enterprises,” Cyentia wrote.

Impact isn’t measured in just dollar amounts. “Consequences like executive churn, organizational bankruptcy, and SEC scrutiny can make board members sit up and pay attention more than any single dollar value can,” Cyentia noted. Cyentia found that 27 incidents were reported in Securities and Exchange Commission filings and 23 prompted some form of government inquiry, such as Congressional hearings. About a quarter of the incidents led to changes in executive leadership, as people resigned or were fired for their role in the incident (either for the incident happening under their watch or how they handled the response). The fear of going out of business because of a security incident is a big concern, but in this dataset, there were only three events that led to the organization to shut its doors.

Focusing on total losses also obscures the fact that the impact is uneven throughout the organizations It is difficult to find detailed breakdown of losses, but Cyentia was able to piece together a “hypothetical invoice of misery” using financial reports, public records, and other sources. The median value for productivity and revenue loss among these extreme events was $68 million, while the median response cost was $24 million. Many times, the focus after a security incident is on how much the organization spent responding to the incident, but the analysis suggests that is not the biggest part of the price tag. Even replacement costs—getting new servers or upgrading systems to avoid a repeat of the incident—have a higher median value, at $32 million.

Cyentia found that how well a firm responded to the incident impacted total losses incurred. It makes sense: Equifax was excoriated for how it handled the massive data breach which impacted 143 million American consumers. In Cyentia’s analysis, how well a firm responded to the extreme event was a matter of perception, since not making public mistakes in its response doesn’t mean there were no issues internally. The median total loss in events where the organization was perceived as handling response poorly was $109 million, compared to the median total loss of $39 million where the organization didn’t display any clues about how well it handled response.

It is far easier to find information about costs incurred during response, losses associated with lost productivity and revenue, and fines that arise from regulatory actions and lawsuits. While reputational damage and competitive disadvantage is something that gets regularly mentioned as part of the costs of a data breach, Cyentia did not uncover data indicating what those losses would look like.

“Losses caused directly from the event itself are more common—or at least more discoverable— than those incurred by the reaction of outside parties,” Cyentia said. As a result, businesses may benefit from investing in insurance policies specifically for cybersecurity incidents and having incident response teams on retainer (or having in-house teams).

Extreme Events Aren’t...Fancy

To hear organizations describe it, data breaches are the result of sophisticated and complex attacks. The data, however, shows that even among these most damaging attacks, most of them were the result of stolen credentials, followed by remote access malware.

Credential-related attacks showed up in 46 extreme events and $10 billion in losses. Remote access malware—backdoors—were used in 31 events. About a quarter of incidents involved web application attacks, such as SQL injection or cross-site scripting, and exploits against known software vulnerabilities (not zero-days!) were used in 22 events. Phishing or pretexting was used in 18 incidents.

Prompter patching may have avoided half of all costs across all events in this study, the researchers noted. The high prevalence of credential related attacks showing up in this report should be the strongest sign that organizations should be using multi-factor authentication.

In case anyone still had doubts that ransomware was a big problem, 21 incidents in IRIS Xtreme involved ransomware. A single ransomware campaign—the NotPetya attack in 2017—accounted for 20 percent of the losses, or $3.5 billion, across all events in this report.

Considering the report looked at some of the most damaging incidents in the last 5 years, it was surprising that only one in five were attributed to state-affiliated actors. So while they’re responsible for 43 percent of all monetary losses in this report, nation-state adversaries aren’t the biggest threats.

It’s easy for organizations to get bogged down with the headlines of catastrophic cyberattacks and then shrug them off because they are too small or too insignificant or too different to experience these types of incidents. Cyentia’s analysis suggests that the dividing line between garden-variety attacks and these extreme events is not all that wide.

The analysis in IRIS Xtreme suggests the organization’s industry sector would be a better indicator of whether an extreme event is something to worry about. Financial, information and manufacturing sectors were victims in more than half of the 103 incidents, according to the report.

“To paraphrase a famous quote from bank robber William Sutton, extreme events occur where the money (or the data) are found,” the researchers wrote. “The Finance and Information sectors have both in abundance.”

Despite being more frequently targeted, the financial sector (22 incidents out of 103) was fifth in terms of total losses, compared to the information sector, which had the highest total losses in this dataset. The researchers speculated that the financial services’ history of risk management helped in mitigating the impact of these incidents.

It is valuable to look at these extreme incidents because “they are happening with surprising regularity,” wrote Derek Vadala, CEO of VisibleRisk, a joint venture between Moody’s and security company Team8, and the report’s sponsor. “There were some very business-relevant events existing in the gray area between commonplace events and the worst kinds of cyber breaches that live at the very edge of the curve.”

Boards need “to know what a significant, adverse cyber event would look like for their organization,” Dr. Jack Freund, the head of methodology at VisibleRisk, wrote at the end of the report. Boards can use the total losses associated with extreme events to determine if they have set aside enough money in their capital reserve (“rainy day fund”) to survive a serious incident and assess if their insurance policies are adequate. “Only then can they truly understand what is required to protect their organization in a holistic way.”

<![CDATA[Trickbot Back on the Block]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/trickbot-back-on-the-block https://duo.com/decipher/trickbot-back-on-the-block Tue, 10 Nov 2020 00:00:00 -0500

A month after Microsoft and the United States government conducted separate operations to disrupt the Trickbot malware network, the botnet’s command-and-control infrastructure appears to have gone completely offline for a short while, but a new spam run in the last 24 hours is now distributing the malware again.

Researchers have been tracking the effects of the takedown efforts for the last several weeks, watching as the malware operators moved to new command-and-control servers and continued to run new infection campaigns. Microsoft’s operation against Trickbot focused primarily on C2 infrastructure located in the U.S. and it was successful in getting a court order to take over those control servers. But Trickbot’s operators had control servers in Europe and the Caribbean, too, and continued to use those after the operation from Microsoft and a distinct effort by the U.S. Cyber Command that targeted the configuration files used to give new instructions to compromised computers.

The Trickbot operators have conducted new spam campaigns in recent weeks aimed at infecting new machines, using the Emotet trojan as the most common infection vector. However, the last week had seen a dropoff in Trickbot activity and researchers at security firm Intel 471 said they had seen no new Trickbot C2 servers come online in that time.

“We observed the number of active and working Trickbot control servers being reduced over time until Nov. 5, when we were unable to identify any working Trickbot control servers as of Nov. 6,” the company said in a new research report.

However, that does not mean that the Trickbot operators have stopped their activities altogether. Researchers who track Trickbot spam activity have reported renewed spam campaigns spreading Trickbot-laden malicious documents in the last day, as well. Marcus Hutchins, a malware researcher at Kruptos Logic, said Tuesday the operators appear to have modified the configuration files to evade detection.

"TrickBot is back active again. They made changes to how the config works, but doubt it’s going to provide any resilience against competent analysts," he said on Twitter.

Intel 471 confirmed this, too.

"On Nov. 9, 2020, we did see a new version of Trickbot that was distributed via a spam campaign (gtag tar2)," the company said Tuesday.

Trickbot has been part of an infection chain involving Emotet and the nasty Ryuk ransomware for nearly two years, with cybercrime groups buying access to Trickbot-infected machines in order to install Ryuk. Ryuk is used by a number of individual attack groups and it has been blamed for ransomware incidents at several hospitals and health care facilities in recent weeks. In late October, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint advisory on increased ransomware activity, specifically from Ryuk.

“In these recent Ryuk attacks, incident responders have reported that instead of seeing Trickbot as the initial infection, they saw a different malware known as BazarLoader aka KEGTAP. BazarLoader is linked to the Trickbot operators in many ways, including shared infrastructure and code similarities,” the Intel 471 report says.

“This indicates the actors linked to Trickbot continue to launch targeted ransomware attacks successfully despite the disruption of Trickbot malware infrastructure. It was unclear whether the Trickbot operators will return to using Trickbot or will completely move to using BazarLoader as a replacement.”

<![CDATA[Privacy Labels for iOS and Mac Apps Are Coming]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/privacy-labels-for-ios-and-mac-apps-are-coming https://duo.com/decipher/privacy-labels-for-ios-and-mac-apps-are-coming Mon, 09 Nov 2020 00:00:00 -0500

Starting Dec. 8, developers will need to provide information about what kind of data their apps collect and how the data will be used. Just as food manufacturers are required to print nutritional labels on food to provide nutrition information such as calories and ingredients, these apps will have “privacy labels” telling users upfront how the apps use information.

The developer-reported information—all the different types of data being collected, how the data is linked to the user (if at all), and whether the data is used for tracking purposes—will be displayed on the app’s page in the iOS App Store and Mac App Store, Apple said in the developer support page. There is no exception for this—new and existing apps must have this information if they are to remain in the app stores.

The goal is to make it easy for the user to know exactly what the app will do before installing the app.

Developers have to submit the information—such as names, email addresses, contact numbers, and physical addresses—through the App Store Connect website, and identify all possible uses for that data. That is the case even if the app is using it for limited purposes. For example, if the app needs the user’s location, it will be displayed on the label (even if it never gets shared with third parties).

Apple said it would start requiring developers to provide this information back during WWDC 2020 in June. The requirement goes hand-in-hand with iOS 14’s ad anti-tracking feature. The goal is to make that information readily available at the moment the app is being downloaded and installed, instead of making users scroll through lengthy and often confusing privacy policies.

Even the most privacy-conscientious users have a difficult time understanding what apps are doing with their data. A recent Duo Labs research found that data brokers have a lot of information about users that were collected via apps, but users rarely know which apps provided which piece of information to the brokers. The only way to even start untangling that snarl of data relationships is to look at what software development kits app developers are using, or to trace data partners from one app to another. It is time-consuming and the user still doesn't have a complete picture.

Apple’s requirement to force developers to reveal what apps are doing with user data is a good step for privacy, but the fact that this is developer-provided means there are too many loopholes. It is up to the developer to make sure the labels are up-to-date and reflect the latest information whenever changes are made or functionality added. There doesn’t seem to be a mechanism for Apple to verify developers are telling the whole truth about their data partnerships, so users are left hoping that maybe they know enough from the labels to make an informed choice.

The developer-provided responses should “follow the App Store review guidelines and applicable laws,” Apple said on its developer page. “Examples of data that may not need to be disclosed include data collected in optional feedback forms or customer service requests that are unrelated to the primary purpose of the app and meet the other criteria above. For the purpose of clarity, data collected on an ongoing basis after an initial request for permission must be disclosed.”

<![CDATA[Apple Fixes Three Flaws Exploited in the Wild]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/apple-fixes-three-flaws-exploited-in-the-wild https://duo.com/decipher/apple-fixes-three-flaws-exploited-in-the-wild Fri, 06 Nov 2020 00:00:00 -0500

Apple has patched three separate vulnerabilities in iOS and macOS that attackers have been exploiting in the wild. The patches are included in iOS 14.2 and macOS Catalina 10.15.7, which the company released Thursday.

All three of the vulnerabilities were discovered and reported to Apple by researchers with Google Project Zero, which specializes in identifying zero days being used by attackers. Two of the flaws are in the iOS kernel, while the third is in the font parser component of the operating system. Neither Apple nor Project Zero released any details on the attacks or the exploits for these vulnerabilities.

The FontParser vulnerability (CVE-2020-27930) is the most serious of the three bugs, as it can lead to remote code execution.

Those three vulnerabilities are among 24 issues that Apple fixed in iOS 14.2.

“Processing a maliciously crafted font may lead to arbitrary code execution. Apple is aware of reports that an exploit for this issue exists in the wild. A memory corruption issue was addressed with improved input validation,” the Apple advisory says.

The two kernel vulnerabilities are slightly less serious, but dangerous nonetheless. The first flaw is a memory initialization issue (CVE-2020-27950) in the kernel that can lead to a memory leak. The second is a type confusion vulnerability (CVE-2020-27932) that can allow a malicious app to run arbitrary code.

Those three vulnerabilities are among 24 issues that Apple fixed in iOS 14.2, a rather large number for a point release, but are the only three patched in the new release of macOS. Several of the other vulnerabilities patched in iOS 14.2 can lead to arbitrary code execution, too. Enterprises with managed iPhone and Mac deployments should install the updates as soon as practical, given the existence of exploits in the wild.

<![CDATA[The Senators Who Will Set the Security and Privacy Agenda in Congress]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/players-setting-senates-security-and-privacy-agenda-remain-the-same https://duo.com/decipher/players-setting-senates-security-and-privacy-agenda-remain-the-same Thu, 05 Nov 2020 00:00:00 -0500

Candidates lay out their positions on a number of topics during the election cycle—taxes, immigration, criminal justice, and climate change—but cybersecurity and privacy doesn't really get a lot of attention. However, with the focus on election security, nation-state attacks, and massive data breaches, there is growing pressure on the federal government to do something.

Within Congress, there is a sense that privacy and security can't be ignored, or treated as less important. Some lawmakers have shown they grasp the seriousness of the situation and have held hearings, written letters requesting information, and introduced legislation. One way to suss out how the security and privacy agenda will unfold in the 117th Congress is to look at what these Senators have done and said previously.

This isn't intended to be an exhaustive list of every Senator or new member arriving in January. Many of the Senators who will make up the 117th Congress were not up for reelection or handily won their contests, so how much of how they shape the Senate’s agenda will likely remain unchanged. While there are 17 members of the Senate Cybersecurity Caucus, there are plenty of Senators who are active on security and privacy topics and not members of the caucus.

Sen. Ben Sasse (R-Neb) is not an official member of the caucus, but he participated on the bipartisan Cyberspace Solarium Commission, which made more than 75 security recommendations for the executive and legislative branches of government. If the Solarium's recommendations get implemented, such as establishing a national cyber director, forming Senate Cybersecurity Committees, and allocating more power to CISA, it could significantly change privacy and security policy.

One of the new members that could bring some fresh energy is former Colorado governer John Hickenlooper, who unseated Sen. Cory Gardner (R-Colo), the co-sponsor of the Internet of Things Cybersecurity Improvement Act (which just passed Congress unanimously) and co-founder of Senate Cybersecurity Caucus.

A New Voice in the Senate

Hickenlooper comes with solid cybersecurity credentials, as he—while governor of Colorado— laid the groundwork to create the National Cybersecurity Intelligence Center to serve as a rapid-response center for businesses under attack and to commercialize cutting-edge research. The idea was to eventually have six or so centers around the country focusing on different aspects of cybersecurity. As governor, he also signed the “Cyber Coding Cryptology for State Records” bill into law, which provided support for education, training and workforce development with a focus on cybersecurity, blockchain and related technologies.

Hickenlooper was also a Democratic presidential candidate for a few months in 2019. While his campaign was short, he was one of the few candidates in the crowded field who talked about cybersecurity, such as creating a position of “Director of National Cybersecurity” to formulate a 20-year plan to coordinate efforts among existing security and intelligence agencies.

In an interview when he was running for President, Hickenlooper told Decipher the United States needed “constant engagement” around cybersecurity. This would involve focusing on all the partners around world, even the ones with a more adversarial relationship, he said.

“By keeping engaged consistently with them, we could bring more pressure on places like Iran, and we can do a better job of addressing the global issues that really are global, like pandemics like Ebola, climate change, cybersecurity," Hickenlooper told Decipher. It's important to look at on the small focus of, alright, here's what we're going to do around Iran. But on the larger scale, we've got to recognize that we need a network of constant engagement."

Caucus Stays the Same

Gardner may not be the only member of the Caucus missing in the next Congress. Sen. David Perdue (R-Ga), who introduced the Cybersecurity Advisory Committee Authorization Act of 2020 to establish an advisory committee at the Cybersecurity and Infrastructure Agency to coordinate and improve the country’s cybersecurity efforts, appears to be heading for a runoff election in January.

Sens. Angus King (I-Me.), Michael Bennet (D-Co), John Thune (R-SD), Tom Carper (D-Del), John Boozman (R-Ar), Maria Cantwell (D-Wash.), Maggie Hassan (D-NH) and Jacky Rosen (D-NV) are members of the caucus but were not up for reelection this year.

Sen. Mark R. Warner (D-Va), the top Democrat on the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, won re-election. He has taken a leading role in tackling tackling foreign disinformation and pushing Congress to consider legislation funding and securing emerging technologies such as 5G. If the Democrats take control of the Senate (pending the outcome of the run-off elections in Georgia), he will likely become chair of the Intelligence Committee. Warner was one of the critics when the White House eliminated the cybersecurity czar role.

Sen. Gary Peters (D-Mich), who narrowly won re-election, had introduced the Continuity of Economy Act of 2020 to develop a plan to ensure essential functions of the economy continue in the event of a cyber-attack and the National Guard Cyber Interoperability Act of 2020 to enable the National Guard to provide remote cybersecurity support and technical assistance to help states respond to cyber incidents. Sens. Chris Coons (D-Del), Mike Rounds (R-SD), Ed Markey (D-Mass), Tom Cotton (R-Ar) all won reelection, with much more comfortable margins.

Sen. Markey is one of the more active members of the Senate on security topics, introducing a flurry of bills and writing letters to companies and agencies about how they handle cybersecurity. Letters include asking the FCC to act on SIM swapping; calling on the FTC to investigate data brokers; requesting information from the National Highway Traffic Safety Administration (NHTSA) regarding risks and vulnerabilities of internet-connected cars; and asking the Department of State why it wasn’t using multi-factor authentication. He has also been one of the vocal voices about the government’s use of facial recognition technology, especially by law enforcement, and has written letters to Clearview AI about its practices. He also urged the FTC to issue comprehensive guidelines for companies that provide online conferencing services so that people working from home can be secure as they spend more hours on conference calls.

Markey sponsored the privacy bill Consumer Online Privacy Rights Act (COPRA); the Cyber Shield Act to create a voluntary cybersecurity certification program for Internet of Things (IoT) devices; the Security and Privacy in Your Car (SPY) Act to establish a rating system telling consumers about a vehicle’s performance capabilities and a cyber coordinator at the Federal Highway Administration; and multiple bills enhancing the security of airplanes and maritime systems; to name a few.

Markey and Cantwell introduced the "common-sense" bill, Consumer Online Privacy Rights Act (COPRA), a "common sense bill" which would make companies responsible for obtaining permission before collecting, sharing, and retaining sensitive information, including biometrics and location data.

Sen. Rounds has spoken about disinformation campaigns, election security, and the military’s ability to respond to cyberattacks. He introduced the National Cybersecurity Exercise Act in 2018, which would have required Cyber Command and others to conduct a “tier 1 exercise” to support civil authorities during a cyber incident. The bill died without coming to vote.“The U.S. defense strategy must include protecting our military and civilian infrastructure from cyberattacks,” Rounds wrote last year.

Sen. Coons co-authored an opinion piece “U.S. Cybersecurity Is Too Weak” in TIME magazine back in 2017, and co-sponsored the Cyber League of Indo-Pacific States (CLIPS) Act to establish a community of regional allies and partners to combat cyberattacks that threaten the U.S. economy.

Sen. Cotton has been one of the most vocal members over the continued presence of Huawei and ZTE equipment in U.S. networks, alleging that the companies have extensive ties with the Chinese Communist Party. He supported the Commerce Department’s decision to remove these technologies from government networks and has urged for an outright ban. Cotton also joined Sen. Ron Wyden (D-Ore) in a letter last year to the Senate Sergeant at Arms asking for information about the scale of successful hacks of Senate devices, including smartphones.

Cotton, Warner, Perdue, and Markey all joined Sen. Richard Blumenthal (D-Conn) in a letter to the Department of Defense and Department of Homeland Security in April urging Cyber Command and CISA to take more action to protect healthcare organizations from increased attacks during the pandemic.

“Unless we take forceful action to deny our adversaries success and deter them from further exploiting this crisis, we will be inviting further aggression from them and others,” the letter said. “The cybersecurity threat to our stretched and stressed medical and public health systems should not be ignored.”

Senate Stays Same

There are plenty of other voices outside the caucus, including the previously mentioned Sens. Sasse, Wyden and Blumenthal. Sasse was part of the Solarium. Many of these Senators who have previously sponsored security legislation or spoken on the topic were not up for reelection this cycle.

Sen. Josh Hawley (R-Mo.) introduced the Do Not Track Act, a bill that would establish a single mechanism through which people could prevent websites from tracking them as they move around the web. That measure is designed to protect people from surveillance that is largely invisible to them. Sen. Rob Portman (R-Ohio) sponsored the DHS Cyber Hunt and Incident Response Teams Act to establish threat hunting teams dedicated to helping agencies find threats and recover from cybersecurity incidents.

Sen. Kirsten Gillibrand (D-N.Y.) sponsored the Data Protection Act, aimed squarely at major platform providers and data brokers. The SAFE DATA Act, introduced by by Sens. Roger Wicker (R-Miss.), John Thune (R-S.D.), Deb Fischer (R-Neb.), and Marsha Blackburn (R-Tenn.),gives individuals the opportunity to see, correct, or deleted data collected on them by their privacy policies. The bill also would have required the FTC to create and maintain a registry of data brokers. Sen. Elizabeth Warren (D-Mass) tried to establish criminal liabilies for CEOs and other senior executives in the case of data breaches with the Corporate Executive Accountability Act.

Wyden may be one of the hardest working members of the Senate on security and privacy issues. Like Markey, Wyden has asked a lot of questions about the accuracy of facial recognition systems and the erosion on individual privacy. Wyden, Markey, and Sen. Cory Booker (D-NJ) (who won reelection) asked the chiefs of 39 federal law enforcement agencies to provide information as to whether they use facial recognition, the circumstances under which they are used, and what databases are used to run facial matching tools. Wyden has been a consistent voice for putting restraints on law enforcement to access to people's information.

Blumenthal is also very active. He has urged estalibshing a “privacy bill of rights”, based in part on the European Union's General Data Protection Regulation. He has said there are so many privacy threats right now that most people don’t even have a handle on what they are.

As the chair of the powerful Senate Judiciary and a vocal supporter of the concept of 'lawful' encryption, Sen. Lindsey Graham (R-SC) has played a role in shaping the Senate's agenda. He decisively defeated his Democratic challenger to stay in the Senate, and is expected to continue his push for giving law enforcement backdoor access in to encrypted communications, as well as punishing technology companies. Graham and Blumenthal were co-sponsors of the highly controversial EARN IT Act, which would trip tech companies of liability protections for what users share on their platforms if the don't follow new rules. The bill was ostensibly designed to prevent online child exploitation, but could present serious challenges to operators of end-to-end encrypted services because the operators may be forced into granting law enforcement special access to encrypted technologies.

<![CDATA[Oracle Releases Emergency Patch for WebLogic Flaw]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/oracle-releases-emergency-patch-for-weblogic-flaw https://duo.com/decipher/oracle-releases-emergency-patch-for-weblogic-flaw Wed, 04 Nov 2020 00:00:00 -0500

Oracle has released an emergency patch for a trivially exploited vulnerability in its WebLogic Server product, a bug that is closely tied to a second vulnerability in WebLogic that has been actively exploited for several weeks now.

The newly patched flaw is CVE-2020-14750 and it can allow an unauthenticated remote attacker to gain control of a vulnerable instance of WebLogic, Oracle’s application server. Oracle warned that enterprises should apply the fix as quickly as possible, given that there is exploit code available for it already.

“This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” the Oracle advisory says.

CVE-2020-14882 is a similar bug, which Oracle patched in its October security update release and is known to be under active attack. Security researchers began seeing attacks against that vulnerability at the end of October, and many of the attacks were using exploit code that had been published a few days earlier by a researcher in Vietnam. Both CVE-2020-14882 and CVE-2020-14750 allow remote code execution and neither one requires authentication, making them easy targets for attackers.

“Due to the widespread dissemination of the proof-of-concept code and evidence of active weaponization/exploitation, we expect to see continued attacks both on the public internet and within organizations where attackers have or will gain footholds,” Bob Rudis, chief data scientist at Rapid7, said in a post on CVE-2020-14882.

“Organizations running Oracle WebLogic Server should patch as quickly as possible. Those that are waiting for a yet-to-occur patch cycle to address CVE-2020-14882 would be well advised to break that cycle in favor of patching as soon as they can.”

The same advice holds true for organizations vulnerable to CVE-2020-14750, which affects versions,,,, and of Oracle WebLogic.

<![CDATA[Privacy Prevails at the Ballot Box]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/privacy-prevails-at-the-ballot-box https://duo.com/decipher/privacy-prevails-at-the-ballot-box Wed, 04 Nov 2020 00:00:00 -0500

For many voters, Election Day in the United States was more than just about voting for government officials such as the president, lawmakers, judges, and sheriffs. They were also asked to weigh in on referendums, new state laws, and amendments to the state constitution.

Voters in 32 states voted for 120 ballot measures this year, encompassing topics such as education, healthcare, and criminal justice. There were 18 measures in 14 states on election policies such as campaign finance, redistricting, and term limits; and 19 measures in 12 states dealing with tax-related policies; and four states voted on legalizing recreational marijuana (two states were for medical marijuana only). California, Massachusetts, and Michigan considered three measures that would have significant impact on privacy policy. Voters approved all three—and each one will influence individual privacy and security in very different ways.

Ballot Measures

Proposition 24, which would modify the two-year old California Consumer Privacy Act, was approved by 56 percent of California voters. The initiative calls for more stringent provisions, an expanded definition of what constitutes “personal data,” and the creation of a Privacy Protection Agency to enforce the law. Of the three ballot measures, Proposition 24, or the California Privacy Rights Act of 2020, had prominent people on both sides of the initiative, making it really difficult to tell whether the passage was a win or a loss for consumer data privacy.

Supporters included Common Sense Media, Consumer Watchdog, former Democratic presidential candidate Andrew Yang, and Congressman Ro Khanna. Opponents included the ACLU of Northern California and Electronic Frontier Foundation. One concern was that CPRA may wind up giving businesses more power to decide what to do with consumer data, instead of giving consumers more control over their own information.

With CPRA's passage, the law will change to include companies that share data with third-parties, and not just those that sell data to third-parties. It will also help "clarify some of the discrepancies and clarifications from CCPA and puts in some interesting operalization requirements for companies, like retention limits, minimization, audits & risk assessments for high risk processing, and more," said Heather Federman, vice president of privacy and policy at BigID.

Even though CPRA won't be fully in effect until 2022, the Privacy Protection Agency will be up and running by the summer of 2021, which means there will be more resources at the state level to investigate complaints (under CCPA) and enforcing the privacy law. The dedicated agency would be the first agency in the United States dedicated solely to privacy, similar to how members of the European Union have their own Data Protection Authorities. Enterprises who had avoided the work of addressing CCPA's requirements will likely need to make changes to comply with CPRA.

One of the main practical challenges for enterprises moving forward will be ensuring they know their consumer's data, especially when it comes to their 'sensitive personal information'," Federman said. "For companies that have been taking a half-baked approach to CCPA compliance, this could make CPRA compliance tricky.

While California voters considered data privacy, Massachusetts voters weighed in on the Right to Repair law. Question 1 proposed updating an existing automobile-repair law to address data sharing. Automobiles are increasingly collecting and sharing wireless data, which raises the question of who has access to that wireless car data and how secure it is. The Coalition for Safe and Secure Data, backed by major automakers, urged voters to reject Question 1, claiming that letting vehicle owners and independent repair shops access to the data could pose data security risks. Supporters said voting "Yes" would mean that cars would be required to use a standardized platform, which means vehicle owners and independent repair facilities would also have access to the data instead of keeping it locked up with the repair shops owned by dealerships and automakers. Question 1 passing in Massachusetts could have a ripple effect beyond the state borders, and “could set the national standard for cars,” Kyle Wiens, the founder of California-based iFixit and a vocal right-to-repair advocate, told Wired.

Finally, 88 percent of Michigan voters overwhelmingly approved Proposal 2, an amendment to add language to the Michigan State Constitution that requires a search warrant to access electronic data or electronic communications. Proposal 2 stated that electronic data and electronic communications are secure from unreasonable searches and seizures. Michigan's vote is significant because of the sheer amount of user information that is online. Forcing law enforcement to get a search warrant means there will be less "fishing" expeditions where investigators cast a wide net and see who comes up, rather than focusing on specific individuals and crimes. For companies with consumer information, Michigan's Proposal 2 defines the steps law enforcement has to follow in order to gain access. This could have an impact beyond Michigan, as well.

Harbinger of Change

The fact that just three states had consumer privacy on the ballot is not an anomaly, but rather an indicator that this topic is going to become a bigger deal over the next few years. Ballot measures often act as bellweathers, indicating which issues are becoming important to voters. For example, California was the first state to legalize medical marijuana using a ballot initiative in 1996, which sparked a flurry of similar initiatives in other states. Colorado and Washington were the first to legalize recreational marijuana in 2012, and now there are many states that have followed suit—and there were four states that put marijuana on the ballot this year. As discussions about consumer privacy and data security become increasingly commonplace and federal and state legislatures continue to lag on enacting meaningful laws, more states could adopt ballot measures to protect individuals.

Of the three ballot measures, California's Proposition 24, may be the one heralding the future of privacy legislation.

California is often a harbinger of social change in America," said Raju Vegesna, chief evangelist at Zoho. "Overall, the persisting absence of a national data privacy law in the U.S. means more states will take matters into their own hands, following in California’s footsteps.

<![CDATA[Google Discloses Unpatched Windows Flaw Used in Attacks]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/google-discloses-unpatched-windows-flaw-used-in-attacks https://duo.com/decipher/google-discloses-unpatched-windows-flaw-used-in-attacks Mon, 02 Nov 2020 00:00:00 -0500

Two weeks ago, Google patched a vulnerability in Chrome that was under active exploitation by attackers, saying that it had evidence of an exploit in the wild. Now, Google researchers have disclosed an unpatched vulnerability in Windows that was being used in conjunction with the Chrome bug in some attacks.

Google’s Project Zero research team discovered both vulnerabilities and on Friday the team disclosed the details of the Windows bug (CVE-2020-17087), which is a buffer overflow in the kerney cryptography driver. The flaw is not remotely exploitable on its own but can be used for privilege escalation once an attacker already has access to a target machine. Google’s researchers saw attackers using this bug along with the Chrome flaw (CVE-2020-15999) in targeted attacks.

“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape),” the Project Zero bug report says.

“We have evidence that this bug is being used in the wild.”

MIcrosoft is expected to release a patch for the vulnerability on Nov. 10.

"The vulnerability is believed to be present since at least Windows 7."

The exploitation attempts that Google has seen involving this vulnerability have been targeted attacks and not related to any intrusion attempts on election infrastructure, the company said. The Project Zero team published a proof-of-concept exploit for the bug, which it said has likely been around since Windows 7.

“It was tested on an up-to-date build of Windows 10 1903 (64-bit), but the vulnerability is believed to be present since at least Windows 7. A crash is easiest to reproduce with Special Pools enabled for cng.sys, but even in the default configuration the corruption of 64kB of kernel data will almost surely crash the system shortly after running the exploit,” the bug report says.

In late October, Project Zero researchers discovered that attackers were exploiting a previously unknown flaw in Chrome, which turned out to be a heap buffer overflow in the FreeType font-rendering engine Chrome uses. Google patched the vulnerability on Oct. 20 for Chrome desktop users. But two days later researchers filed a separate bug report for the Windows kernel vulnerability that was being used alongside the Chrome flaw. Both vulnerabilities were subject to Project Zero’s most aggressive seven-day disclosure deadline, which it applies to bugs that are being actively exploited.

<![CDATA[CISA, Microsoft Warn of Continued Attacks on Zerologon Bug]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/cisa-microsoft-warn-of-continued-attacks-on-zerologon-bug https://duo.com/decipher/cisa-microsoft-warn-of-continued-attacks-on-zerologon-bug Fri, 30 Oct 2020 00:00:00 -0400

It has been more than two months since Microsoft released a patch for the Zerologon vulnerability in Windows Server, and for organizations that have not yet applied the fix, time is running short.

Within a few weeks of the patch release, Microsoft warned that attackers were actively targeting the vulnerability (CVE-2020-1472) and urged customers to apply the fix as soon as possible. The vulnerability is a privilege escalation flaw in the Netlogon Remote Protocol that Windows domain controllers use for authentication, and a successful exploit could give an attacker access to domain credentials. Details of the vulnerability, as well as exploit code, have been public for several weeks, and Microsoft said Thursday that some of its customers are continuing to see attacks against the bug.

“Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be used to steal domain credentials and take over the domain,” Aanchal Gupta, vice president of engineering for the Microsoft Security Response Center, said in a post.

“Deploying the August 11, 2020 security update or later release to every domain controller is the most critical first step toward addressing this vulnerability. Once fully deployed, Active Directory domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts. We strongly encourage anyone who has not applied the update to take this step now.”

The Zerologon vulnerability is dangerous for several reasons, primarily because of the consequences of a successful attack. Also, any organization that has a domain controller exposed to the Internet--which is not the recommended configuration--is even more exposed, as an attacker could exploit the vulnerability without needing a second flaw.

To supplement Microsoft’s advisory, the Cybersecurity and Infrastructure Security Agency issued its own warning, reiterating that it has seen state actors targeting the Zerologon flaw and urging enterprises to apply the available fixes.

“The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks,” CISA’s guidance says.

“If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.”