Eliana Willis

Image: WhatsApp
WhatsApp announced on Friday it will be offering its users end-to-end encrypted backups later this year. Users will have a choice for how the encryption key used is stored. The simplest is for users to keep a record of the random 64-digit key themselves, akin to how Signal handles backups, which they would need to re-enter to restore a backup. The alternative would be for the random key to be stored in WhatsApp’s infrastructure, dubbed as a hardware security module-based (HSM) Backup Key Vault that would be accessible via a user-created password.”The password is unknown to WhatsApp, the user’s mobile device cloud partners, or any third party. The key is stored in the HSM Backup Key Vault to allow the user to recover the key in the event the device is lost or stolen,” the company said in a white paper [PDF]. “The HSM Backup Key Vault is responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a certain number of unsuccessful attempts to access it. These security measures provide protection against brute force attempts to retrieve the key.” For redundancy purposes, WhatsApp said the key would be distributed through multiple data centres that operate on a consensus model.

WhatsApp said it would only know that a key exists in its vault, and would not know the key itself. The backups would store message text, as well as photos and videos received, WhatsApp said. “The backups themselves are generated on the client as data files which are encrypted using symmetric encryption with the locally generated key,” the Facebook-owned company said. “After a backup is encrypted, it is stored in the third party storage (for example iCloud or Google Drive). Because the backups are encrypted with a key not known to Google or Apple, the cloud provider is incapable of reading them.” Earlier this year, WhatsApp delayed enforcing a take-it-or-leave-it update to its privacy terms until May. WhatsApp originally presented users with a prompt to accept its new privacy terms by February 8, or risk not being able to use the app. In the wording used, WhatsApp said the policy would change how it partnered with Facebook to “offer integrations”, and that businesses could have used Facebook services to manage WhatsApp chats. By June, WhatsApp eventually dumped its update plans. Related Coverage More

Ransomware groups have shown no signs of slowing down their assault on hospitals, seemingly ramping up attacks on healthcare institutions as dozens of countries deal with a new wave of COVID-19 infections thanks to the potent Delta variant. Vice Society, one of the newer ransomware groups, debuted in June and made a name for themselves by attacking multiple hospitals and leaking patient info. Cybersecurity researchers at Cisco Talos said Vice Society is known to be “quick to exploit new security vulnerabilities to help ransomware attacks” and frequently exploits Windows PrintNightmare vulnerabilities during attacks. 

“As with other threat actors operating in the big-game hunting space, Vice Society operates a data leak site, which they use to publish data exfiltrated from victims who do not choose to pay their extortion demands,” Cisco Talos explained last month. Cybersecurity firm Dark Owl added that Vice Society is “assessed to be a possible spin-off of the Hello Kitty ransomware variant based on similarities in the techniques used for Linux system encryption.” They were implicated in a ransomware attack on the Swiss city of Rolle in August, according to Black Fog. The Vice Society leak site. 
Cisco Talos
Multiple hospitals — Eskenazi Health, Waikato DHB and Centre Hospitalier D’Arles — have been featured on the criminal group’s leak site and the group made waves this week by posting the data of Barlow Respiratory Hospital in California.The hospital was attacked on August 27 but managed to avoid the worst, noting in a statement that “no patients were at risk of harm” and “hospital operations continued without interruption.”Barlow Respiratory Hospital told ZDNet that law enforcement was immediately notified once the hospital noticed the ransomware impacting some of its IT systems. 

“Though we have taken extensive efforts to protect the privacy of our information, we learned that some data was removed from certain backup systems without authorization and has been published to a website where criminals post stolen data, also known as the ‘dark web.’ Our investigation into the incident and the data that was involved, is ongoing,” the hospital said in a statement. “We will continue to work with law enforcement to assist in their investigation and we are working diligently, with the assistance of a cybersecurity firm, to assess what information may have been involved in the incident. If necessary, we will notify the individuals whose information may have been involved, in accordance with applicable laws and regulations, in due course.” The attack on Barlow caused considerable outrage online considering the hospital’s importance during the COVID-19 pandemic. But dozens of hospitals continue to come forward to say they have been hit with ransomware attacks. Vice Society is far from the only ransomware group targeting hospitals and healthcare institutions. The FBI released an alert about the Hive ransomware two weeks ago after the group took down a hospital system in Ohio and West Virginia last month, noting that they typically corrupt backups as well.Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15.Ransomware groups are also increasingly targeting hospitals because of the sensitive information they carry, including social security numbers and other personal data. Multiple hospitals in recent months have had to send letters out to patients admitting that sensitive data was accessed during attacks. Simon Jelley, general manager at Veritas Technologies, called targeting healthcare organizations “particularly despicable.””These criminals are literally putting people’s lives in danger to turn a profit. The elderly, children and any others who require medical attention likely will not be able to get it as quickly and efficiently as they may need while the hackers hold hospital systems and data prisoner,” Jelley said. “Not to mention that healthcare facilities are already struggling to keep up as COVID-19 cases surge once again in many places across the country. Preventing ransomware attacks is a noble effort, but as illustrated by the Memorial Health System attack and so many others like it in recent months, preparation for dealing with the aftermath of a successful attack is more important than ever.” More

Another week, another data breach, and this time involving another communications services provider in Singapore. With cybersecurity incidents now seemingly commonplace, more organisations must be realising it’s only a matter of time before they get hit, but they’ll be wrong to assume it’s their advance-to-go card and they get to skip doing their due diligence in safeguarding customer data.  MyRepublic on Friday said personal data of 79.388 of its mobile subscribers were compromised, following a security breach on a third-party data storage platform. The affected system had contained identity verification documents needed for mobile services registration, including scanned copies of local customers’ national identity cards and residential addresses of foreign residents.  I asked MyRepublic if the data storage service was cloud-based and whether it was the only client affected by the breach, but it declined to provide specifics citing confidentiality and security reasons. 

It did reveal, however, that it was informed of the breach by “an unknown external party” on August 29, which was the date it said the “unauthorised data access” was uncovered. It since had been plugged and incident “contained”, MyRepublic said.  The internet services provider is the third here to be hit by a cybersecurity breach in just six months. Just in August, local telco StarHub said a file containing personal data of its customers had been found on a dump site. The file contained mobile numbers, email addresses, and identity card numbers of 57,191 individuals who had subscribed to StarHub’s services before 2007. Apart from broadband and mobile, the telco also offers pay TV services in Singapore. All affected customers were from its consumer business. Earlier in February, Singtel said personal details of 129,000 customers including name, date of birth, mobile number, and physical address, were compromised in a security breach that involved third-party file-sharing system, FTA. Launched by US cloud service provider Accellion 20 years ago, the FTA product was nearing retirement and had vulnerabilities that were not properly patched, impacting several organisations and their customers including Shell and Morgan Stanley. In Singtel’s case, financial details of employees of a corporate client also were compromised in the breach. 

In their respective security incident, both MyRepublic and StarHub highlighted that financial details such as credit card and bank account information were not affected. They also noted that none of their own systems were compromised. However, that should bring little comfort since third-party and supply chain attacks are on the rise, paving multiple ways for cybercriminals to breach their eventual targets–any organisation with access to large volumes of consumer data.  Furthermore, there’s little indication that organisations are taking the necessary steps to ensure their entire supply chain is resilient and secured. Are they constantly assessing the security posture of their third-party suppliers? Would MyRepublic have known there was a data breach if the “unknown external party” had not raised the alarm?  When I asked MyRepublic when it last assessed security measures implemented by the affected data storage vendor, it would not specify a date. It said only that it “regularly” reviewed such measures internally and externally, including that of the third-party vendor implicated in the breach.  Wouldn’t it be able to easily provide a specific date of its last assessment if that was the case? And should this be made a mandatory provision when companies report a security incident, alongside other details such as how the breach occurred and the parties involved in the breach. The data storage vendor wasn’t named in the MyRepublic breach, which should lead to further questions about whether other businesses, and their customer data, also were impacted.  All customer data should be properly securedFurthermore, that security breaches did not compromise financial data does not make these leaks any less critical. Singapore is small, with few key players in the telecoms market. Chances are subscribers here would have been customers of all three telcos at some point, which further increases the likelihood they were affected by all three breaches that occurred. This, in effect, means various aspects of their personal information, spanning their date of birth, national identity number, physical address, and mobile number, can be put together to establish a more complete profile.  It also means cybercriminals will be able to use these different datasets of personally identifiable information (PII), pulled together from separate security breaches, to clear security questions or verify and assume the identity of their victims. They can convince banks to issue replacement credit cards in the victim’s name, even if no financial data was compromised in any of the security breach. 

Data breach involving any PII should be a concern, especially as cyber threats and risks from third-party attacks continue to increase. At a panel discussion in Estonia this week, Singapore’s Minister for Communications and Information Josephine Teo described cybersecurity as a “wicked” challenge that could not be completely resolved.This, in fact, prompted the country to change its cybersecurity posture from one focused on prevention, to one of “assume breach” position, Teo said. With this mindset, it assumes systems have been breached or compromised, according to the minister, who pointed to the need for constant vigilance and monitoring to identify breaches.She said it was critical for governments to already have in place response mechanisms to swiftly recover in the event of a breach, including having clear communications to maintain public trust. But while it is true that It’s no longer a question of “if” but “when” organisations experience a security breach, this shouldn’t mean they can afford to take their feet off the accelerator in doing their due diligence and what is necessary to keep their customer data safe. An “assume breach” approach has motivated enterprises to focus on recovery and response, which in itself isn’t wrong, because it pushes these companies to minimise disruptions to service delivery. It also ensures they are able to quickly contain the breach and recover lost data. However, it can divert attention and investment away from threat monitoring and prevention, which are equally as important. In addition, risk management efforts typically will see companies putting more focus on securing more critical data–commonly perceived to be financial and payment details, or the company’s intellectual property assets. This sometimes means other non-financial customer data will be tagged less critical and parked away in a third-party or public cloud-based data storage platform, where security measures may not be as closely or regularly assessed by the organisation.It is likely the reason why, when security incidents occur, affected systems would contain personal customer data such as their mobile number or national identification number, but not their bank or credit card details. Organisations have a responsibility to safeguard all of their customers’ data, regardless of whether loss of that data has financial implications on their business and bottomline. As I mentioned above, theft of any PII can carry potential cyber risks for an individual, even if its loss is deemed to have little financial impact to a business. That means companies, including startups and mobile app platforms, that collect and store large volumes of customer information should take the necessary measures to ensure the data is secured.Telcos, in particular, made for bigger targets due to their access to large consumer databases and communications infrastructure, Joanne Wong, LogRhythm’s vice president for international markets, said in a note on MyRepublic’s breach.”As a digital-first nation, we need to get better at fending against these threats,” Wong said. “We know from experience that there can be far-reaching implications of a single weak link and cannot sit still, and watch the same incidents happen time and time again. Organisations, especially in these essential sectors — need to be proactive and have oversight across their entire digital supply chain, including any third-party vendors. Only when there is constant monitoring and surveillance, can they effectively identify and remediate threats with speed.” On how much organisations should invest in cybersecurity. Teo urged the need to understand their risk profile and allocate the appropriate amount of resources to protect their digital assets. She added that Singapore advised local businesses to carry out risk assessments and invest accordingly, rather than going for the minimum so they were in compliance with regulations. Above all, “assume breach” position does not mean consumers are expected to accept security breaches as part and parcel of dealing with businesses. It should mean organisations must be better able to demonstrate it has done its part in protecting all customer data, including non-financial information, within its own environment as well as across its supply chain. RELATED COVERAGE More

New York state has fixed an issue with the Excelsior Pass Wallet that allows users to acquire and store COVID-19 vaccine credentials.The issue — discovered by researchers at the NCC Group — allows someone “to create and store fake vaccine credentials in their NYS Excelsior Pass Wallet that might allow them to gain access to physical spaces (such as businesses and event venues) where they would not be allowed without a vaccine credential, even when they have not received a COVID-19 vaccine.” The researchers found that the application did not validate vaccine credentials added to it, allowing forged credentials to be stored by users.New York State was notified of the issue on April 30 but spent months ignoring messages from the NCC Group. It was only until the researchers contacted NYS ITS Cyber command center in July that they got a response from the state about the problem.A patch solving the issue was released on August 20. New York State officials did not respond to requests for comment from ZDNet. Siddarth Adukia, technical director at NCC Group, told ZDNet that the widespread rollout of vaccine credential passport applications and their inherent security and privacy implications make them a natural area of interest for security research. “At NCC Group, we’ve been looking into a number of these apps recently. We wanted to gauge the extent to which a user (or venue) should trust these systems, and how the privacy of someone using such systems would be affected,” Adukia said. 

“We started with the NYS Excelsior Pass applications as they were one of the first to rollout in the US, and we had consultants who live in New York State, including myself, who were personally vested in assuring the security and privacy of the system. We found the issue after threat modeling possible attack and abuse vectors against the application and the system in general.” Adukia said his team reverse-engineered the mobile application and intercepted network traffic, allowing them to examine the application for possible problems such as information leak, weak cryptography and other common application security issues.Adukia explained that the application allows users to scan a QR code to add a credential to the wallet or add one through the device’s photo gallery.”The issue we found allowed fake credentials to be stored in the wallet. Both vectors allowed even non-technical users to scan a fake credential (created by themselves or via a website), and store it as a digital vaccine credential in the NYS Excelsior Wallet application,” Adukia added. “Users could then present the credential through the official app to venues, and attempt to gain physical access. A lot of venues don’t use the scanner app or ignore the verification results and trust the seemingly legitimate data on a user’s device, allowing bypass of credential checking.”The current version of the app available in stores is not susceptible to this issue, Adukia noted, but users who may not have updated to the latest version of the app can still upload forged vaccine credentials today. In a technical advisory from NCC Group, researchers included screenshots of forged credentials that can be scanned by the Wallet app and added as a legitimate pass. A screenshot of the fake credentials.
NCC Group
Adukia said NCC Group researchers are currently analyzing and discussing issues in other state-run COVID-19 apps and plan to follow the routine disclosure processes with any vendors. Millions of people have found ways to acquire fake vaccine cards or other verifications allowing them to pretend they received one of the many free COVID-19 vaccines available in the US. A variety of COVID-19 vaccine verifications are being sold at increasingly low prices on the dark web, according to a report in August from Check Point Research. Researchers found that prices for EU Digital COVID certificates as well as CDC and NHS COVID vaccine cards had fallen as low as $100. Check Point Research’s study found groups advertising the fake vaccine verifications in groups with more than 450,000 people. In March, a previous report from the company found that the price for fake vaccine passports was around $250 on the dark web and that advertisements for the scams were reaching new levels. The researchers now can find fake certificates being sold from groups and people in the US, UK, Germany, Greece, Netherlands, Italy, France, Switzerland, Pakistan and Indonesia. The spike in demand for fake vaccine passports and cards comes as hundreds of companies are forcing employees and customers to show evidence of COVID-19 vaccination before coming into offices or businesses.  More

Fujitsu has confirmed that data being marketed by cybercriminals is not related to any cyberattack on its systems.Criminal marketplace Marketo claimed to have 4GB of data from Fujitsu last month and began marketing it widely.At the time, Fujitsu said it was investigating a potential breach and told ZDNet that “details of the source of this information, including whether it comes from our systems or environment, are unknown.” Marketo claimed to have confidential customer information, company data, budget data, reports and other company documents, including project information.But now both sides have confirmed that the data stolen is not connected to Fujitsu and is instead related to one of the company’s partners in Japan.Fujitsu spokesperson Andrew Kane sent an update to ZDNet confirming that an investigation revealed the stolen data was not from their systems and he noted that even Marketo has since changed how they are marketing the stolen data. “While Fujitsu is aware that Marketo claims that it has uploaded data pertaining to the commercial relationship between Fujitsu and a customer in Japan, we have conducted a thorough review of this incident, and to date there are no indications that this data comes from Fujitsu systems or environments,” Kane said. 

“As for the authenticity and origins of the data, we’re not in a position to speculate and will refrain from further comment for the time being.”Marketo has also changed its tune, now writing that the stolen data is entirely from Japanese manufacturing giant Toray Industries. Toray Industries did not respond to requests for comment. Ivan Righi, a cyber threat intelligence analyst with Digital Shadows, said in August that the 24.5MB ‘evidence package’ initially provided on Marketo had screenshots of data relating to Toray. But many thought the data came from Fujitsu and not Toray Industries. Marketo is still using the Fujitsu logo to market the stolen data but has changed the description under the photo to focus on Toray Industries.While security experts have previously said the data on Marketo is generally accurate, the changes and revelations are yet another example of how unreliable criminal marketplaces like Marketo can be.  More

Cybersecurity is one of the highest-paid careers in the tech industry, probably because those skills were cited as most in-demand by over a third of IT professionals surveyed around the globe. So if you’ve reached even an intermediate level of experience in a tech position, you can turbocharge your career into one of the hottest jobs on the market by training at your own pace with the very affordable Ultimate 2021 Cyber Security Survival Training Bundle. The Cisco 210-260 IINS: Implementing Cisco Network Security course covers the technologies used by the company in its security infrastructure, so it’s perfect for anyone who wants to specifically work for one of the most successful tech companies in the world. But all of the other courses are vendor-neutral.The Certified Information Systems Auditor (CISA) course is good for anyone from entry-level to mid-career IT professionals. It will cover everything you need to gain skills that will qualify you for positions that require you to monitor, assess, audit, and control a company’s business and IT systems.With so much of today’s technology residing in the cloud, the Cloud Computing Security Knowledge (CCSK) course can qualify you for a certification that will really polish up a resume. It teaches the fundamentals of how to keep data secure in the cloud and provides a foundation for more advanced cloud credentials.Anyone looking to level up to a management position will probably find the Certified Information Security Manager (CISM) class extremely helpful. It covers program development and management as well as incident and risk management.Those who already have a couple of years of experience in security-related IT administration would benefit from the CompTIA Security+ SY0-501 class. You’ll learn all about secure installation and configuration of devices, networks, and applications, as well as threat analysis, risk mitigation, and much more.ITU Online Training has specialized in technical skills for almost a decade, using video modules created by highly qualified instructors. All of the courses include practice exams, a note-taking function, and progress trackers. So it’s no wonder the company has over 650 000 satisfied students, as well as numerous awards such as Cybersecurity Excellence and Best in Biz.

Don’t pass up this opportunity to train for a highly paid tech career. Grab The Ultimate 2021 Cyber Security Survival Training Bundle today while it’s on sale for just $29.99.

ZDNet Academy Deals More