Eliana Willis

The National Rifle Association (NRA) has released a statement today after a ransomware gang claimed to have attacked the organization. The Grief ransomware gang — which has ties to the prolific Russian cybercrime group Evil Corp — posted about the NRA on its leak site, setting off hours of headlines and concerns from members of the group. By Wednesday afternoon, NRA Public Affairs managing director Andrew Arulanandam took to Twitter to say the group is doing what it can to protect the data of its members.”NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so.” Arulanandam said. Cybersecurity researchers began posting about the incident on Wednesday after Grief said it had 13 files allegedly from the NRA’s databases. Analysis of the released documents show it is minutes from a recent NRA board meeting as well as documents related to grants. It threatened to leak more files if the NRA did not pay an undisclosed ransom. 
Brett Callow
The NRA will be faced with a difficult decision considering Evil Corp was sanctioned by the US Treasury Department in 2019, meaning the gun rights group would have to ask permission before paying any ransom. The rules were pushed following an attack on Garmin, a tech wearables company, that was hit by the WastedLocker ransomware. WastedLocker is another ransomware group with purported links to Evil Corp. Evil Corp was implicated in a wide-ranging ransomware attack last week on Sinclair Broadcast Group, which controls hundreds of news stations in the US. 

Grief has spent much of 2021 attacking school districts and local governments across the US including ones in New York, Alabama, Mississippi, Indiana, Washington and Texas, according to Comparitech. Paul Bischoff, privacy advocate at Comparitech, said NRA members should take steps to protect themselves from any repercussions that might arise as a result of this breach. “A gun won’t help. Even if the NRA pays the ransom, there is no guarantee that Grief will destroy the stolen data,” Bischoff said. “The inclusion of tax forms is particularly concerning because cybercriminals can use them to perpetrate tax fraud. Be sure to file taxes early and make sure no one else files in your name. Grief has led several attacks in the US against targets in government, healthcare, and education.” More

Credit: Microsoft
Microsoft released a new Windows 11 Insider build on October 27 — Windows 11 Build 22489. In the release notes for this Dev Channel build, Microsoft officials disclosed there’s going to be yet another way to update Windows outside of major OS updates called “Online Service Experience Packs.” The mention of this new update pack was in the context of the “Your Microsoft Account” settings page, which Microsoft is now testing as part of some future update to Windows 11. A subset of Dev Channel Insiders is getting the new Your Microsoft Account setting page as part of Build 22489. This new page will display information related to users’ Microsoft Account, such as subscriptions to Microsoft 365, links to order history, payment details and Microsoft Rewards. Via this page, users will be able to access their Microsoft Accounts directly in the Settings in Windows 11. The details about what Online Service Experience Packs are and what, exactly, they’ll be updating are sparse right now. Microsoft officials said in today’s blog post about the new build: “Over time, we plan to improve the Your Microsoft account settings page based on your feedback from Feedback Hub via Online Service Experience Packs. These Online Service Experience Packs work in a similar way as the Windows Feature Experience Packs do, allowing us to make updates to Windows outside of major OS updates. The difference between the two is that the Windows Feature Experience Packs can deliver broad improvements across multiple areas of Windows, whereas the Online Service Experience Packs are focused on delivering improvements for a specific experience such as the new Your Microsoft account settings page.” Under Windows Update, users ultimately will see “Online Service Experience Pack – Windows.Settings.Account” with a version number. Microsoft execs have said fairly little about Windows Feature Experience Packs. These packs, introduced with Windows 10, have included the updated Snipping Tool, text input panel, and shell-suggestion UI.In addition to the new Your Microsoft Account settings page, Microsoft also has added support in today’s test build for “Discovery of Designated Resolvers.” This feature, which builds on DNS over HTTPS, allows Windows to discover encrypted DNS configurations from a DNS resolver known only by its IP address. Microsoft also is updating the name of the “Connect” app to “Wireless Display.” And it is splitting the Apps & Features in settings to two pages under Apps: Installed Apps and Advanced App Settings. The rest of Microsoft’s post about today’s build lists a bunch of fixes and known issues.Earlier this month, Microsoft introduced yet another Windows-updating-related feature to Windows Insiders. That mechanism, called Update Stack Packages, is designed to “deliver update improvements outside of major OS updates, such as new builds.”  Officials declined to say more about what exactly these Update Stack Packages are at this point. More

Google and Salesforce have announced the creation of a vendor-neutral security baseline called the Minimum Viable Security Product (MVSP), which they said was an effort to “raise the bar for security while simplifying the vetting process.”MVSP was also developed and backed by Okta, Slack and more. Google vice president of security Royal Hansen said it was “designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines.” “With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals, and reduce the onboarding and sales cycle by weeks or even months,” Hansen said. “MVSP is a collaborative baseline focused on developing a set of minimum security requirements for business-to-business software and business process outsourcing suppliers. Designed with simplicity in mind, it contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture. MVSP is presented in the form of a minimum baseline checklist that can be used to verify the security posture of a solution.”Companies have long had to create their own security baselines for their vendors that complicates the process, is difficult to assemble for organizations and creates a byzantine maze of baselines for complying vendors. Hansen explained that the MVSP will create an industry-wide baseline backed by practitioners that clearly communicates a set of minimum requirements. The requirements can also help organizations understand the gaps in their own process and identify areas where they need to be tougher on vendors. 

“MVSP provides a single set of security-relevant questions that are publicly available and industry-backed. Aligning on a single set of baselines allows clearer understanding from vendors, resulting in a quicker and more accurate response,” Hansen said. “MVSP ensures expectations regarding minimum security controls are understood up front, reducing discussions of controls at the contract negotiation stage. Referencing an external baseline helps to simplify contract language and increases familiarity with the requirements.”Hansen added that the companies were interested in feedback from the security community and others who may want to contribute. Salesforce said outsourcing operations to third-party vendors is a double-edged sword. It saves but also creates new attack vectors by granting external access to critical systems and customer data, a Salesforce official said. A recent study showed 59% of companies have experienced a data breach caused by one of their vendors. The MSVP checklist includes questions about whether a vendor performs annual comprehensive penetration testing on systems as well as whether a vendor complies with local laws and regulations like GDPR. Questions also cover whether vendors have implemented single sign-on using modern and industry standard protocols or apply security patches on a frequent basis. Does a vendor maintain a list of sensitive data types that the application is expected to process? Do they keep an up-to-date data flow diagram indicating how sensitive data reaches your systems and where it ends up being stored? These are all questions posed by the MSVP checklist. The checklist also includes questions about the physical security of facilities and whether vendors have layered perimeter controls or entry and exit logs. “With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals and reduce the onboarding and sales cycle by weeks or even months,” Salesforce said. More

The #ShareTheMicInCyber campaign that took over the Twitter pages of the country’s cybersecurity leaders last week is being formalized thanks to a partnership between the movement’s founders and a think tank. Camille Stewart, co-founder of #ShareTheMicInCyber, said #ShareTheMicInCyber will be working with New America on a diversity initiative funded by Google, Twitter, and Craig Newmark Philanthropies. “We are excited to expand the impact of #ShareTheMicInCyber by creating a fellowship that will allow for sustained and deeper impact,” Stewart said. A fellowship will be created for 2020 that will be centered around researching diversity and inclusion in the cybersecurity industry, nurturing a stable of mentors and organizing professional development activities. “In an environment where there are so many cyber positions unfilled and we are facing cyber threats that are increasing in complexity and scale we must capitalize on the innovation and understanding of people that diversity brings to get ahead of threats and fill staffing gaps,” Stewart, who works as global head of product security strategy at Google, told ZDNet. “Intentional investment in changing the face of the industry, elevate and invest in diverse talent, promote diverse talent, change hiring and retention practices to allow for nontraditional backgrounds and experiences, and create and inclusive empathy-driven cultures where everyone can thrive and differences are celebrated.”Google vice president of security Royal Hansen said in a blog post that the company was funding the first year of the fellowship and pledging to a total of five years of funding.

“As modern cybersecurity threats evolve into new and more dangerous attacks — and as the industry seeks skilled workers — we need an arsenal of different ideas that represent all backgrounds. The #ShareTheMicinCyber Fellowship will amplify diverse talent and bring new voices and ideas to the industry and ultimately make us all safer and more secure,” Hansen said. She said she was inspired to start the campaign in the national security and cybersecurity industry after seeing a Share The Mic Now movement for another industry on Instagram.She tweeted about it and eventually was contacted by Harvard Kennedy School’s Lauren Zabierek, who decided to join the effort and helped Stewart host a similar campaign through her organization NextGen NatSec in celebration of Juneteenth 2020. “At the same time Lauren and I worked to create #ShareTheMicInCyber. The first campaign happened June 26, 2020 and built off the learnings from the campaign I hosted the week prior,” Stewart explained.On the heels of that, Stewart and Zabierek began extending invitations to anyone they had connections to, eventually getting the attention of a member of the NSA Cyber comms team through a tweet. Stewart also contacted CISA Director Jen Easterly, who responded immediately and urged her team at CISA to make it happen. IST contacted them in the hopes of joining the campaign.On Friday, CISA strategist Ayan Islam took over Easterly’s account, Google security engineer Talya Parker tweeted from the account of NSA cybersecurity director Rob Joyce and Institute for Security and Technology CEO Philip Reiner handed his accounts over to Hope Goins, staff director for the US House of Representatives Committee on Homeland Security. The women spoke about their experiences in the tech industry, the barriers they had to face as Black women and ways other women of color can break into the industry.  “The initiative is going well and continues to grow in reach and impact. Not only is the campaign reaching more people each time — sparking a much needed conversation about systemic racism in cyber, broadening networks, and engaging cyber employers — we have partnerships that allow us to address the impacts of systemic racism,” Stewart said. “Our partnership with WISP to create a scholarship for participants is helping to break down financial barriers. Cyberbase, which is launching in partnership with RStreet Institute, is combating the notion that diverse practitioners aren’t already in the industry by giving companies access to a database of Black cyber talent.”Stewart added that the partnership with New America would make what was discussed on Friday a reality, allowing the movement to evolve into actionable opportunities for cybersecurity professionals of color. The fellowship will give someone the opportunity to “conduct policy research and analysis, explore critical cyber security issues, and explore questions of diversity and the human side of cybersecurity.””Our focus on amplifying and investing in middle career talent is designed to be a beacon for newcomers and a pipeline for future leaders,” Stewart said. “The industry investment in this initiative is a recognition that investment in a diverse workforce at all levels will better equip us to meet the ever-evolving and increasingly complex security challenges we face as a society.”Peter Singer, senior fellow at New America and co-coordinator of the #ShareTheMicInCyber partnership, said the need to build greater diversity in cybersecurity brings together national security, industry, community, and equity needs.”It is the literal definition of a win for all,” Singer said. “We couldn’t be more excited and proud to join in taking #ShareTheMicInCyber to the next needed level.” Stewart and Zabierek said the latest partnership is only the beginning of the conversations that need to be had about diversity, racism and equity in the cybersecurity industry. They urged other companies to get involved in the campaign and find a way to support the initiative. “The outcomes that we’ve seen from the four #ShareTheMicInCyber campaigns — to include strengthening and expanding networks, deepening inclusion, and connecting people with more job and professional opportunities in cybersecurity show us that this movement must be rooted and fully resourced so that we can grow its impact,” Zabierek said. 

Workplace diversity More

Back when Apple first announced the iOS 15, it promised that users could choose to stay on iOS 14 if they wanted to and still get updates.Apple is delivering on that promise with an update that you should install as soon as possible. iOS 14.8.1 contains 12 — yes, a dozen — security fixes for a swath of issues, ranging from kernel vulnerabilities to bugs in the Safari WebKit engine. These are the sort of issues that could let the bad guys get a foothold into your device to wreak more havoc. Apple also fixed many bugs on Monday with the release of an update to iOS 15: iOS 15.1 and iPadOS 15.1. Apple also released the iPadOS 14.8.1 for tablet owners who decided to stick with iOS 14.A complete list of fixes for both iOS 14.8.1 and iPadOS 14.8.1 can be found here.To install the update, tap on Settings > General and go to Software Update to download the update. More

The confidential computing market is expected to reach $54 billion by 2026, according to a new market study from the Linux Foundation and the Confidential Computing Consortium. Conducted by Everest Group, the study claims the confidential computing market is expected to grow at a CAGR of 90%-95% in the best-case scenario, and 40% – 45% even in the worst-case scenario until 2026. The researchers used proprietary datasets, consultations with key market stakeholders and contributions from the members of the Confidential Computing Consortium to compile the study.Accenture, ANT Group, Arm, Facebook, Google, Huawei, Intel, Microsoft and Red Hat are all members of the Confidential Computing Consortium.”Confidential computing protects data in use by performing computation in a hardware-based Trusted Execution Environment (TEE),” the researchers explained.Abhishek Mundra, practice director at Everest Research, said that while the adoption of Confidential Computing is in the relatively nascent stage, the organization’s research “reveals growth potential not only for enterprises consuming it, but also for the technology and service providers enabling it.”The study found that industries facing heavy regulation — like banking, finance, insurance, healthcare, life sciences, public sector and defense — are most interested in the technology and will “dominate” the rollout. The market will be driven by hardware, software and service segments, while adoption in other industries will be driven in part by the increase in privacy regulations and cyberattacks, according to the study.

The researchers predict that multi-party computing and blockchain “will constitute a large share of the market.” Stephen Walli, governing board chair of the Confidential Computing Consortium, said that because many enterprises are moving data to the cloud, security needs have been altered “dramatically.””The needs of protecting and managing sensitive data throughout the life cycle, coupled with industry regulations, and the proliferation of cyber risks, positions Confidential Computing to become a de facto technology for computational security,” he said. David Greene, head of the CCC’s outreach committee and chief revenue officer of Fortanix, said the strongest demand for confidential computing seems to come from banking, financial services, and healthcare, all of which have huge quantities of very confidential information and a real need to safely use that data.”Customers want to leverage all of their data, even their most sensitive data, for their own use and to collaborate with other businesses. This is data that can bring advancements in critical research and the development of new solutions for health, productivity and improving people’s lives. Organizations in any industry can benefit from keeping their data secure whether it is at rest, in motion or in use,” Greene said. “We continue to see data breaches resulting from gaps in infrastructure security. It’s very hard to protect infrastructure — there are just too many points of vulnerability. Confidential Computing takes a different approach by focusing on protecting the data, even when it is in use. This just is not possible using any other technology.” More

Adobe has issued a vast security update targeting 14 products, including Lightroom, Photoshop, and InDesign. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On October 26, the tech giant issued over 80 patches for vulnerabilities, including critical code execution flaws, privilege escalation, denial-of-service, and memory leaks.  Normally, Adobe waits to release batch security updates until the second Tuesday of each month in what is known as Patch Tuesday — a practice also followed by companies including Microsoft.  However, when the security of users calls for it, these vendors may release out-of-band or emergency patches — one of the most notable over 2021 being Microsoft’s fixes for zero-day bugs in Exchange Server that were being actively exploited in the wild.   Adobe After Effects, Audition, Bridge, Character Animator, Prelude, Lightroom Classic, Illustrator, Media Encoder, Premiere Pro, Animate, Premiere Elements, InDesign, XMP Toolkit SDK, and Photoshop have all received new updates.  Of note in this security update: Photoshop: CVE-2021-42736, CVSS 7.8, buffer overflow leading to arbitrary code execution XMP Toolkit SDK: CVE-2021-42529, CVE-2021-42530, CVE-2021-42531 (CVSS 7.8), buffer overflows, arbitrary code execution Animate: Nine critical bugs, CVSS 7.8, arbitrary code execution Premiere Elements: CVE-2021-40785, CVSS 8.3, NULL Pointer Dereference, memory leaks Character Animator: Three Access of Memory Location After End of Buffer flaws, CVSS 7.8, arbitrary code execution Media Encoder: CVE-2021-40778, CVSS 8.3, NULL Pointer Dereference, memory leaksThe updates come at the same time as improvements in Adobe software were announced. Among the changes are upgrades to Photoshop and Illustrator to allow web access via URLs, improved masking and filters in Photoshop, the implementation of Frame.io in products, and the planned release of Canvas and Creative Cloud Spaces next year. Previous and related coverage:

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More