Privacy has become a priority for virtually every company regardless of size, vertical, and geography. Privacy regulations have popped up around the world, including Europe, the US, and China. India will soon be added to the list. Rising customers’ and employees’ privacy expectations are also converging to force businesses to prioritize privacy and will keep doing so in the future. Companies are responding by maturing their privacy programs, developing best practices, and sharpening their respective toolkits. Companies are investing in privacy 

According to Forrester survey data, most companies worldwide have adopted a formal privacy program and have a chief privacy officer (CPO) in place. Half of these CPOs report directly to the company’s CEO. While privacy programs are primarily set up to deliver on compliance requirements, one of the key benefits companies report as a result of their program is increased customer trust. With the volume of individuals’ privacy rights requests on the rise, new requirements being discussed, and emerging risks to tackle, privacy decision-makers expect to increase their privacy budgets in the next 12 months. The appetite for adopting new technology is also rising. While most teams are still relying on spreadsheets to manage their programs, privacy teams are progressively investing in more sophisticated and automated technology to support their efforts. Encryption is one of the main technologies being implemented today. Privacy-preserving technologies, as well as software for privacy training, top the list of new tools privacy decision-makers are planning to adopt in the next future. The reliance on automated technology helps privacy organizations perform better. However, to solve their most significant challenges, they need to think about processes, governance, and policies on top of technology. And they need to establish strategic collaboration with others in the organization. In fact, when asked about the biggest challenges to effectively protect the personal data of their customers and/or employees, most privacy decision-makers reported that the fear of worsening the experience of their customers and/or employees is their biggest challenge. Also: Privacy predictions for EuropeEmployee privacy expectations are greater than most assume Companies have learned that EX — the employee experience — directly influences the quality of their customer experience (CX). As such, they are prioritizing efforts to improve their EX. But employee privacy is still too often left out from the list of key EX — and privacy — initiatives. This is a mistake. How companies treat their personal information has a significant impact on how employees feel about and trust their employers and on how they perform. Employees have strong privacy expectations at work. In fact, data from Forrester’s new Privacy Segmentation shows that as many as 72% of employees globally do not want their personal data used as part of workforce analytics projects without their consent. Additionally, more than half wish they had more privacy protections in the workplace. About the same number take active measures to limit the amount of personal data they share with their employers. 

Companies and their privacy leaders must learn how their employees feel about their personal data at work and develop privacy practices that meet these expectations. Those that understand employee privacy only as a compliance requirement should upgrade their existing practices to address employees’ privacy attitudes beyond mere compliance. Compliance is the floor, not the ceiling. And those that have existing strong employee privacy practices in place must ensure that they continuously improve them to align with changing employee privacy expectations. Organizations can help empower employees with privacy at home 

Employee privacy concerns and interests intersect with their personal lives. The lines start to blur between work and home as companies move to an anywhere work model and have a remote workforce. Companies will have a ceiling when it comes to applying cybersecurity controls that reach into the home. Employees have expectations of privacy; employers have liability concerns, and privacy and labor laws are non-negotiable. To keep privacy top of mind and engage your workforce, you can be a resource for information to empower your employees to level up their personal privacy posture. For example, point to how a credit freeze can help prevent identity theft. This can also include education about tools like VPNs and identity theft monitoring and protection services. You can also highlight privacy and anti-surveillance tools. For example, email and credit card masking tools like Abine and MySudo; secure messaging apps like Signal; and popup blockers and script blockers like Adblock, Ghostery, NoScript, and uBlock Origin. Many ISPs also offer home cybersecurity services today as well. These services are typically delivered via the home router and include capabilities like network and device security, Wi-Fi/network management and optimization, parental controls, and privacy features. Concierge cybersecurity and privacy services like BlackCloak and Cypient Black will take a tailored approach to protect individuals (typically executives and VIPs) from targeted attacks aimed at their home environment. Also: Software development will adapt to a new normalWhile technologies and services can help, privacy-minded behaviors and habits will have the most day-to-day impact. Forrester data shows that US online adults’ common actions to protect their privacy include clearing Internet browsing history and adjusting permissions for specific apps. This is where an organization’s efforts to update and invest in their privacy awareness training programs will help to empower employees the most. This post was written by Principal Analysts Enza Iannopollo and Heidi Shey, and it originally appeared here. More

This week, the Washington Post reported that the FBI had the decryption keys for victims of the widespread Kaseya ransomware attack that took place in July yet did not share them for three weeks. Hundreds of organizations were affected by the Kaseya attack, including dozens of hospitals, schools, businesses and even a supermarket chain in Sweden. Washington Post reporters Ellen Nakashima and Rachel Lerman wrote this week that the FBI managed to obtain the decryption keys because they accessed the servers of REvil, the Russia-based criminal gang that was behind the massive attack.

Kaseya attack

REvil demanded a $70 million ransom from Kaseya and thousands from individual victims before going dark and shutting down significant parts of its infrastructure shortly after the attack. The group has since returned, but many organizations are still recovering from the wide-ranging July 4 attack. Despite the large number of victims of the attack, the FBI did not share the decryption keys, deciding to hold on to them as they prepared to launch an attack on REvil’s infrastructure. According to The Washington Post, the FBI did not want to tip off REvil operators by handing out the decryption keys.The FBI also claimed “the harm was not as severe as initially feared” according to The Washington Post. The FBI attack on REvil never happened because of REvil’s disappearance, officials told the newspaper. The FBI eventually shared the decryption keys with Kaseya on July 21, weeks after the attack occurred. Multiple victims spoke to The Washington Post about the millions that were lost and the significant damage done by the attacks. 

Another law enforcement source eventually shared the decryption keys with Bitdefender, which released a universal decryptor earlier this month for all victims infected before July 13, 2021. More than 265 REvil victims have used the decryptor, a Bitdefender representative told The Washington Post. During his testimony in front of Congress on Tuesday, FBI Director Christopher Wray laid blame for the delay on other law enforcement agencies and allies who they said asked them not to disseminate the keys. He said he was limited in what he could share about the situation because they are still investigating what happened.  “We make the decisions as a group, not unilaterally. These are complex…decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world. There’s a lot of engineering that’s required to develop a tool,” Wray told Congress. The revelation caused considerable debate among security experts, many of whom defended the FBI’s decision to leave victims struggling to recover from the attack for weeks. Critical Insight CISO Mike Hamilton — who dealt with a particularly thorny situation where a Kaseya victim was left in the lurch after paying a ransom right before REvil disappeared — said being careful about disclosing methods is a staple of the law enforcement and intelligence communities. “There is a ‘tell’ though, that we’ve confirmed ourselves. The FBI is quoted as saying that the damage wasn’t as bad as they thought and that provided some time to work with. This is because the event wasn’t a typical stealth infiltration, followed by pivoting through the network to find the key resources and backups. From all indications the only servers that were encrypted by the ransomware were the ones with the Kaseya agent installed; this was a smash-and-grab attack,” Hamilton said. “If you had it deployed on a single server used to display the cafeteria menu, you could rebuild quickly and forget the whole thing happened. The fact that the world wasn’t really on fire, again, created time to dig further into the organization, likely for the ultimate purpose of identifying individual criminals. Those organizations that WERE hit hard had the agent deployed on on-premises domain controllers, Exchange servers, customer billing systems, etc.”Sean Nikkel, senior threat intel analyst at Digital Shadows, said the FBI may have seen the need to prevent or shut down REvil’s operations as outweighing the need to save a smaller group of companies struggling in just one attack. Because of REvil’s increasing scale of attacks and extortion demands, a quickly-developing situation requiring an equally fast response likely preempted a more measured response to the Kaseya victims, Nikkel explained, adding that it is easy to judge the decision now that we have more information but that it must have been a tough call at the time. “Quietly reaching out directly to victims may have been a prudent step, but attackers seeing victims decrypting files or dropping out of negotiations en masse may have revealed the FBI’s ploy for countermeasures,” Nikkel told ZDNet. “Attackers then may have taken down infrastructure or otherwise changed tactics. There’s also the problem of the anonymous soundbite about decryption making its way into public media, which could also tip off attackers. Criminal groups pay attention to security news as much as researchers do, often with their own social media presence.” Nikkel suggested that a better approach may have been to open backchannel communications with incident response firms involved to better coordinate resources and response, but he noted that the FBI may have already done this. BreachQuest CTO Jake Williams called the situation a classic case of an intelligence gain/loss assessment. Like Nikkel, he said it’s easy for people to play “monday morning quarterback” and blame the FBI for not releasing the keys after the fact. But Williams did note that the direct financial damage was almost certainly more widespread than the FBI believed as it withheld the key to protect its operation. “On the other hand, releasing the key solves an immediate need without addressing the larger issue of disrupting future ransomware operations. On balance, I do think the FBI made the wrong decision in withholding the key,” Williams said. “However, I also have the convenience of saying this now, after the situation played itself out. Given a similar situation again, I believe the FBI will release the keys unless a disruption operation is imminent (hours to days away). Because organizations aren’t required to report ransomware attacks, the FBI lacked the full context required to make the best decision in this case. I expect this will be used as a case study to justify reporting requirements.”John Bambenek, principal threat hunter at Netenrich, said critics need to remember that first and foremost, the FBI is a law enforcement agency that will always act in a way that optimizes law enforcement outcomes. “While it may be frustrating for businesses that could have been helped sooner, law enforcement takes time and sometimes things don’t work out as planned,” Bambenek said. “The long term benefit of successful law enforcement operations is more important than individual ransomware victims.” More

Security legend McAfee, which is shedding its enterprise business, and bandwidth provider Akamai Technologies, which is transitioning to being more of an enterprise security company, both this afternoon reported Q1 results  that topped analysts’ expectations.Akamai said its sales of its security software and services rose by 29%, year over year, to $310 million.McAfee said its consumer security business, which excludes revenue from the enterprise business that McAfee is selling off, rose by 25%, year over year. McAfee and Akamai shares were both unchanged in late trading.  Akamai CEO Tom Leighton said that the company was “pleased with our excellent start in 2021,” noting that “revenue, margins and earnings all [exceeded] expectations.”Added Leighton, “We continued to capitalize on the substantial opportunities for our business, as demonstrated by the very strong growth of our security and edge applications solutions and strong traffic growth on the Akamai Intelligent Edge Platform.”Akamai’s total revenue in the three months ended in March rose 10%, year over year, to $843 million, yielding a net profit of $1.38 a share.

Analysts had been modeling $830 million and $1.30 per share.Akamai did not offer a forecast.McAfee’s total revenue in the three months ended in March rose 13%, year over year, to $773 million, yielding a net profit of 44 cents a share.Analysts had been modeling $732 million and 36 cents per share.McAfee announced March 8th it would sell its enterprise security business to private equity firm Symphony Technology Group for $4 billion in cash. The enterprise business is categorized as “discontinued operations” within the quarterly results, while the remaining consumer business is continuing operations. For the current quarter, McAfee sees revenue from its remaining business, excluding enterprise, of $430 million to $434 million. For the full year, the company sees revenue from continuing operations in a range of $1.77 billion to $1.79 billion.

Tech Earnings More

Adobe has released a second out-of-band security update to patch critical vulnerabilities across numerous software products. 

The patch, released outside of the tech giant’s typical monthly security cycle, impacts Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines. 
See also: Everything announced at Adobe Max 2020: Creative Cloud gets collaborative, Illustrator for iPad, and more
Published on October 20, the first app tackled is Illustrator, which received a fix for seven critical vulnerabilities. The memory corruption and out of bounds read/write issues, when exploited, can lead to arbitrary code execution. 
Adobe Dreamweaver was subject to an “important” uncontrolled search path element security flaw which could be exploited for the purpose of privilege escalation, and another “important” issue impacting the Marketo Sales Insight Salesforce package, a cross-site scripting (XSS) bug, could have been weaponized to deploy malicious JavaScript in a browser session. 
Adobe’s next batch of fixes focused on Animate, in which four critical vulnerabilities — out-of-bounds read, stack overflow, and double-free problems — all resulting in arbitrary code execution were resolved.  
CNET: What’s the best cheap VPN? We found three good options
After Effects, too, contained critical issues that have since been patched. A single out-of-bounds read and an uncontrolled search path problem leading to the execution of malicious code are now patched. 
Critical uncontrolled search path problems were also found and fixed in Photoshop, Premiere Pro, Media Encoder, and Creative Cloud installer for desktop.
Finally, a single, critical memory corruption bug has been patched in InDesign that could also be abused to execute arbitrary code. 
TechRepublic: Homebrew: How to install reconnaissance tools on macOS
Adobe thanked researchers working with the Trend Micro Zero Day Initiative and from Fortinet’s FortiGuard Labs, Qihoo 360 CERT, Root Fix, and Decathlon, among others, for their disclosures.
Last week, Adobe released a separate set of out-of-band security fixes impacting the Magento platform. On October 15, Adobe said the patch resolved nine vulnerabilities, eight of which are critical — including a bug that could be abused to tamper with Magento customer lists.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Apple

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Some of the biggest names in the iPhone vulnerability research field have announced plans today to skip Apple’s new Security Research Device (SRD) program due to Apple’s restrictive rules surrounding the vulnerability disclosure process that effectively muzzles security researchers.
The list includes Project Zero (Google’s elite bug-hunting team), Will Strafach (CEO of mobile security company Guardian), ZecOps (mobile security firm who recently discovered a series of iOS attacks), and Axi0mX (iOS vulnerability researcher and the author of the Checkm8 iOS exploit).
What is the Apple SRD program
The Security Research Device (SRD) program is unique among smartphone makers. Through the SRD program, Apple has promised to provide pre-sale iPhones to security researchers.
These iPhones are modified to have fewer restrictions and allow deeper access to the iOS operating system and the device’s hardware, so security researchers can probe for bugs that they normally wouldn’t be able to discover on standard iPhones where the phone’s default security features prevent security tools from seeing deeper into the phone.
Apple officially announced the SRD program in December 2019, when the company also expanded its bug bounty program to include more of its operating systems and platforms.

However, while the company teased the program last year, it wasn’t until today that Apple actually launched it by publishing an official SRD website and emailing selected security researchers and bug hunters to invite them to apply for the vetting process needed to receive an untethered iPhone.
Restrictive new rule
This new website also contained the SRD program’s official rules, which security researchers haven’t had a chance to review in great detail.
But while the security community greeted Apple’s SRD announcement last year with joy, considering it a first step in the right direction, they weren’t very happy with Apple today.
According to complaints shared on social media, it was one particular clause that rubbed most security researchers the wrong way:
“If you report a vulnerability affecting Apple products, Apple will provide you with a publication date (usually the date on which Apple releases the update to resolve the issue). Apple will work in good faith to resolve each vulnerability as soon as practical. Until the publication date, you cannot discuss the vulnerability with others.”
The clause effectively allows Apple to muzzle security researchers.
The clause gives Apple full control of the vulnerability disclosure process. It allows the iPhone maker to set the publication date when security researchers are allowed to talk or publish anything about vulnerabilities they discover in iOS and the iPhone, while part of the SRD program.
Many security researchers are now afraid that Apple will abuse this clause to delay important patches and drag its feet on delivering much-needed security updates by postponing the publication date after which they’re allowed to talk about iOS bugs.
Others are afraid that Apple will use this clause to silence their work and prevent them from even publishing about their work.
Project Zero and others decide not to apply
The first to notice this clause and understand its implications was Ben Hawkers, the Google Project Zero team lead.
“It looks like we won’t be able to use the Apple ‘Security Research Device’ due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90-day policy,” Hawkes said on Twitter today.
Hawkes tweet garnered a lot of attention in the infosec community, and other security researchers soon followed the team’s decision. Speaking to ZDNet sister-site CNET, Will Strafach also said he won’t be joining the program because of this very same clause.
On Twitter, cyber-security firm ZecOps also announced it would skip the SRD program and continue hacking iPhones the old fashion way.

ZecOps will not use the “dedicated research device” released by @Apple due to the program’s restrictions and minimal benefits. We will continue to report bugs to Apple because it’s the right thing to do.Instead of releasing dedicated research device we encourage Apple to …
— ZecOps (@ZecOps) July 22, 2020

In a conversation with ZDNet, security researcher Axi0mX said they were thinking about not participating as well.
“Disclosure deadlines are standard practice in the industry. They are necessary,” the researcher said.
“Apple is requiring researchers to wait for an unlimited amount of time, at Apple’s discretion, before they can disclose any bugs found with Security Research Device Program. There is no deadline. This is a poison pill,” he added.
Alex Stamos, Facebook’s former Chief Information Security Officers, also criticized Apple’s move, which was part of a larger set of decisions the company has taken in recent months against the cyber-security and vulnerability research community — which also included a lawsuit against a mobile device virtualization company that aided security researchers track down iOS bugs.

If Apple wins this battle (which includes their lawsuit against virtualization platforms) then we can kiss impactful public security research in the US goodbye. Only private bounty participants and lawsuit-proof foreign adversaries will be able to do OS security work.
— Alex Stamos (@alexstamos) July 22, 2020

It’s one thing to see no-name security researchers talk down a security program, but it’s another thing to see the biggest names in the industry attacking one.
Apple’s security programs are not well viewed
The fears that Apple might abuse the SRD program rules to bury important iOS bugs and research are justified, for those who followed Apple’s security programs. Apple has been accused of the exact same practice before.
In a series of tweets posted in April, macOS and iOS developer Jeff Johnson attacked the company for not being serious enough about its security work.
“I’m thinking about withdrawing from the Apple Security Bounty program,” Johnson said. “I see no evidence that Apple is serious about the program. I’ve heard of only 1 bounty payment, and the bug wasn’t even Mac-specific. Also, Apple Product Security has ignored my last email to them for weeks.
“Apple announced the program in August, didn’t open it until a few days before Christmas, and now still have not paid a single Mac security researcher to my knowledge. It’s a joke. I think the goal is just to keep researchers quiet about bugs for as long as possible,” Johnson said. More