Nina Raemont/ZDNETFollow ZDNET: Add us as a preferred source More

Cybersecurity firm Rapid7 said it has signed a deal to acquire Alcide, a developer of Kubernetes security technology, for roughly $50 million. The security analytics provider revealed the deal on Monday, saying the acquisition will help its customers manage the security of their cloud and container environments.

Based in Tel Aviv, Alcide’s technology aims to bridge security and DevOps with code-to-production security for Kubernetes deployments. 
According to Rapid7, Alcide’s cloud workload protection platform (CWPP) can be combined with the company’s existing cloud security posture management service to offer customers a more unified platform for application security management. 
“We are thrilled to welcome Alcide to Rapid7,” said Corey Thomas, CEO of Rapid7. “The technical talent within Israel’s cybersecurity ecosystem is unparalleled and we look forward to working together with the Alcide team to provide organizations with comprehensive cloud security that drives business growth and innovation.”
Rapid7’s purchase of Alcide comes on the heels of its acquisition of DivvyCloud in April 2020. The company said both acquisitions are meant to bolster its ability to provide customers with a cloud native security platform for managing risk and compliance.
RELATED: More

Image: Getty Images
Home Affairs secretary Mike Pezzullo has made clear his intended approach to the reform of Australia’s electronic surveillance laws: Bulldoze everything and start again. We also need “a broader societal discussion about privacy”, he said. Speaking at a seminar organised by the Australian Strategic Policy Institute (ASPI) on Thursday, Pezzullo described the surveillance law reforms now under way as more of a rebuild, not just a renovation. “I’d like to get to a point if we can design the legislation almost as if we are… not just renovating an existing structure, but literally clearing a site, levelling it, understanding what’s in the ground, what all the different conditions are in relation to that site, and building the new structure together,” he said. Pezzullo wants “everyday Australians” to have the confidence that it would be “highly unusual for any of their data, any of their devices, or indeed any of their engagement through their devices with data, to be the subject of surveillance or interception”. He wants to “move hopefully away from a notion, which has crept into the discussion around surveillance, of the mass ingestion of data almost for a ‘store and use it later’ basis”. Dennis Richardson’s 1,300-page review of the national intelligence community’s legislative framework, released in December 2020, recommended a whole new electronic surveillance Act. The aim would be to clean up what has, over four decades, become a tangled mess of laws.

The government agreed, and last month the Department of Home Affairs released a discussion paper outlining this goal: “A consistent approach in terms of thresholds, purposes, safeguards, or accountability” with better privacy protections, and a consistent approach to different communications and data technologies into the future. “[We would like to engage] in a very genuine, deep, consultative process. We really want to hear from experts in the field about the challenges that are discussed in the discussion paper,” Pezzullo said. “How do you get these balances right, almost at a philosophical level, between security and liberty?” Spies will always be “much more restricted” than surveillance capitalism That said, according to Pezzullo, we should be more concerned about what’s being done by commercial operators in the name of so-called surveillance capitalism. “It’s more than passing strange to me … that we shed more of our own personal and sometimes quite intimate data in ways that we probably don’t fully understand or appreciate,” Pezzullo said. “I think the more immediate pressing problem for the citizenry is to actually understand what companies are doing with that personal and sometimes intimate data,” he said. “Everything that government will do will always be purposely designed by the parliament to be much more restricted than that.” Pezzullo’s argument is that commercial operators project their gaze as widely as possible to maximise profits, whereas law enforcement and intelligence agencies are required to limit their attention to people who are lawfully being investigated for serious crimes. “That’s very different, a very different direction from the way in which all of society’s otherwise going,” he said. “We’d very much like to land this legislation as a model exemplar back to the private sector about how to engage in moderated self-restraining surveillance.” Katherine Jones, secretary of the Attorney-General’s Department, says she is “on a unity ticket” with Pezzullo in wanting a wide-ranging consultation process. “Working closely with Home Affairs, we’re able to be engaged as these reforms have been considered, discussed, with stakeholders, designed, and ensure that we can put in absolutely the most effective safeguards that are built into the legislation, but also the most effective oversight mechanisms.,” Jones said. “I think we have a generational opportunity to improve in this space,” she said. “We’ve got an opportunity to do that in a much more embedded-by-design way, rather than the ad hoc way it’s been developed over the last 30 years.” A question of thresholds: Which crimes are ‘serious’? One question which continues to plague Australia’s patchwork of electronic surveillance laws is about the kinds of crimes against which they can be used.As Rachael Falk, CEO of the Cyber Security Cooperative Research Centre, pointed out, the UN’s International Covenant on Civil and Political Rights does have “clear carve outs regarding when privacy can legitimately be a secondary concern”. “These are extreme circumstances — significant national security threats, threat to life, threat to public order — which must be used proportionately to the threat at hand,” Falk told ZDNet. “In such extreme circumstances, privacy, while still vitally important, comes second place to the common good.” But which crimes are “serious”? For example, as your correspondent has previously noted, Australia’s controversial anti-encryption laws can be use for offences “punishable by a maximum term of imprisonment of 3 years or more or for life”. Looking around the various jurisdictions, this could cover such existential national security threats as graffiti, criminal damage, menacing phone calls, or even pranks. The Home Affairs discussion paper does float the options of setting the thresholds at sentences of three years, or five, or seven. But other measures could also be used, such as for when a crime causes serious harm. A key factor here is gaining the public’s trust that the balance is right, something the UK recognised in the report from its own consultation on these issues, A question of trust: report of the investigatory powers review. The report presented a range of case studies which, while not giving away any classified information, explained how and why the powers were used. As Falk told the ASPI seminar, “They [in the UK] go to great lengths to explain the what and the why”. “It’s important that the public have a clear-eyed view,” she said. Home Affairs is accepting public submissions relating to its discussion paper [PDF] until February 11. Assuming the timeline remains the same after the forthcoming federal election, an exposure draft of the legislation would be published before the end of this year, with another round of public consultation before legislation is introduced into parliament some time in 2023. Richardson estimated that the whole process would take two to three years and cost around AU$100 million, with another couple of years to rework IT systems and retrain staff. Related Coverage More

A five-year study has concluded with a sobering fact for businesses using on-premise servers: close to half contain vulnerabilities that may be ripe for exploitation. 

Imperva released the results of the study on Tuesday, which analyzed roughly 27,000 databases and their security posture. In total, 46% of on-premises databases worldwide, accounted for in the scan, contained known vulnerabilities.  On average, each database contained 26 security flaws, with 56% ranked as a “high” or “critical” severity bug — including code execution vulnerabilities that can be used to hijack an entire database and the information contained within.  All it may take, in some cases, is a scan on Shodan to find a target and executing a malicious payload.  “This indicates that many organizations are not prioritizing the security of their data and neglecting routine patching exercises,” Imperva says. “Based on Imperva scans, some CVEs have gone unaddressed for three or more years.” France was the worst offender for unprotected databases, with 84% of those scanned containing at least one vulnerability — and the average number of bugs per database was 72.  Australia followed with 65% (20 vulnerabilities on average), and then Singapore (64%, 62 security flaws per database), the United Kingdom (61%, 37 bugs on average), and China (52%, 74 security issues per database). In total, 37% of databases in the United States contained at least one known vulnerability, and these databases contained an average of 25 bugs. 

The Microsoft Exchange Server hack has highlighted the ramifications of poor security for on-prem servers as well as their owners. In March, Microsoft released emergency patches to resolve four zero-days — known collectively as ProxyLogon – but once exploit code was developed and released, thousands of businesses were compromised.  In other recent database security news, a critical vulnerability impacting Cosmos DB became public in August. The bug, described as “trivial” to exploit by cloud security firm WIZ, gives “any Azure user full admin access (read, write, delete) to another customer’s Cosmos DB instances without authorization.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A ransomware gang going by the of Egregor has leaked data it claims to have obtained from the internal networks of two of today’s largest gaming companies — Ubisoft and Crytek.
Data allegedly taken from each company has been published on the ransomware gang’s dark web portal on Tuesday.
Image: ZDNet
Details about how the Egregor gang obtained the data remain unclear.
Ransomware gangs like Egregor regularly breach companies, steal their data, encrypt files, and ask for a ransom to decrypt the locked data.
However, in many incidents, ransomware gangs are also get caught and kicked out of networks during the data exfiltration process, and files are never encrypted. Nevertheless, they still extort companies, asking victims for money to not leak sensitive files.
Usually, when negotiations break down, ransomware gangs post a partial leak of the stolen files on so-called leak sites.
On Tuesday, leaks for both Crytek and Ubisoft were posted on the Egregor portal at the same time, with threats from the ransomware crew to leak more files in the coming days.
For the Ubisoft leak, the Egregor group shared files to suggest they were in possession of source code from one of the company’s Watch Dogs games. On its web portal, the group touted they were in possession of the source code for the Watch Dogs: Legion game, scheduled to be released later this month. It was, however, impossible to verify that these files came from the new game, rather than an existing release.

Image: ZDNet
For the past year, security researchers have tried to reach out and notify Ubisoft about several of its employees getting phished, with no results, which may provide a clue of how the hackers might have got it.
But while hackers leaked only 20 MB from Ubisoft, they leaked 300 MB from Crytek, and this data contained a lot more information.
The Crytek files included documents that appeared to have been stolen from the company’s game development division. These documents contained resources and information about the development process of games like Arena of Fate and Warface, but also Crytek’s old Gface social gaming network.

Image: ZDNet

Image: ZDNet

Image: ZDNet
Neither Ubisoft nor Crytek responded to emails seeking comment on the leaks. None of the companies reported major security incidents weeks, nor any abnormal and prolonged downtimes, suggesting the Egregor intrusion didn’t likely impact cloud and gaming system, but merely backend office and work networks, where most ransomware incidents usually incur damages.
However, in an email interview with ZDNet, the Egregor gang provided more details about the two incidents. The ransomware operators said they breached the Ubisoft network, but only stole data, and did not encrypt any of the company’s files.
On the other hand, “Crytek has been encrypted fully,” the Egregor crew told ZDNet.
The Egregor group said that neither company engaged in discussions, despite their intrusions, and no ransom has been officially requested yet.
“In case Ubisoft will not contact us we will begin posting the source code of upcoming Watch Dogs and their engine,” the group threatened, promising to publish more data in a press release tomorrow. More