Eliana Willis

The latest AppSec Stats Flash report from NTT Application Security has found that the remediation rate for severe vulnerabilities is on the decline, while the average time to fix is on the rise.The report, which is compiled monthly, covers window of exposure, vulnerability by class and time to fix.The latest report found that the window of exposure for applications has increased over the last six months while the top-5 vulnerability classes by prevalence remain constant, which the researchers behind the report said was a “systematic failure to address these well-known vulnerabilities.”According to NTT Application Security researchers, the time to fix vulnerabilities has dropped 3 days, from 205 days to 202 days. The average time to fix is 202 days, the report found, representing an increase from 197 days at the beginning of the year. The average time to fix for high vulnerabilities grew from 194 days at the beginning of the year to 246 days at the end of June.Remediation rates have also decreased across all vulnerability severities, with rates for critical vulnerabilities falling from 54% at the beginning of the year to 48% at the end of June. Rates for high vulnerabilities decreased from 50% at the beginning of the year to 38% at the end of June.The report notes that many of these vulnerabilities are “pedestrian” and require a low level of effort and skill to exploit. HTTP Response Splitting is one issue that is on the rise, according to the report, and the authors suggest organizations pay closer attention to upgrading underlying open-source components. The vulnerability allows attackers “to modify the user-facing content of a website by tricking the target user into clicking a malicious link or visiting a malicious website.”

More than 65% of applications in the utilities sector have at least one serious exploitable vulnerability throughout the year, leading all other industries. Education, manufacturing, and retail and wholesale trade applications each saw an increase in their windows of exposure this month. The window of exposure for the education, retail trade and manufacturing industries saw increases of 4% and healthcare rose by 2%.”The Wholesale Trade sector has seen a 15% increase in Window of Exposure, while Utilities has experienced an 11% increase since the beginning of the year,” the researchers wrote. “Manufacturing, Public Administration and Healthcare are large sectors that have each seen a decline in their respective window of exposures, likely due to an increased focus on security following targeted breach activity and/or new regulations.”Two other sectors saw improvements in their window of exposure. The finance and insurance sectors reported a 2% drop in their window of exposure. “This data indicates that industries like Education, Retail, Manufacturing, Healthcare, Utilities and Public Administration continue to suffer more than other industries, including Finance and Insurance,” the report said. “The top-5 vulnerability classes identified in the last three month rolling window remain constant: Information Leakage, Insufficient Session Expiration, Cross Site Scripting, Insufficient Transport Layer Protection & Content Spoofing.”  More

Cloud content management provider Box has released its native e-signature feature, Box Sign, to business and enterprise customers. The company has included this as part of its overall lifecycle of managing content versus selling it as a standalone product. 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

The technology that enables this came to Box through the February acquisition of SignRequest. The release on July 26 gives customers unlimited signatures plus access to a set of application programming interfaces (APIs) to modernize and digitize the process of managing signed documents. The service is available to a subset of customers now but will be rolled out to all users in the next few months. Box Sign includes the following features: documents now can be sent for signature from within the Box web application; ability to sign and request signatures with four standard fields: signature, date, checkbox, and text; templates for common and repeatable processes, such as NDAs;email reminders and deadline notifications to keep projects on track; serial and parallel document processing, so users can sign documents at the same time or sequentially; real-time tracking; and security controls, such as signer authentication via email, tamper seal indicators, and the inclusion of electronic record and signature disclosures if required. Pandemic hastened use of e-signaturesThe use of e-signatures saw a sharp rise during the stay-at-home period of the COVID-19 pandemic. There are many processes that pre-pandemic required an actual wet signature that shifted to e-signatures due to the need for physical distancing. This includes real estate transactions, sales contracts, and even some legal documents, such as employee onboarding. Now that people have grown accustomed to the ease of e-signatures as businesses trust the process, the increased use of them is likely to stay and even grow.While there are many standalone signature services, the use of them can cause some business challenges, particularly in large volumes. The first one is simply the additional cost of paying for a service. Some charge by the document, others by the user, some have capacity limits, etc. Also, there can be issues with version control when creating the document. For example, a salesperson may create a document in Word and then upload it into a standalone service to send to the customer. If the customer then asks for a change, the Word file is updated and re-uploaded, creating another copy–if the original isn’t deleted. Then there is the process of protecting, archiving, and storing executed agreements. Typically, each e-signature service has its own file storage, and the user would need to remember to download the document from that service and then upload it into the corporate content management system.This is where Box’s approach is different, because it thinks about the lifecycle of the e-signature, which includes the actual signature but also the upstream and downstream processes. For example, consider a contract being created where the sales team and legal team would need to collaborate and send versions back and forth, make comments, assign tasks, and so on. This is made easy with the core Box platform when compared with something like email, because everyone is working with the same document. Instead of having to log into a separate tool, the e-signature process is done in Box natively, which means there’s nothing to upload. Once the contract is signed, it stays in Box, and any kind of governance policies can be applied to it. This might include something such as ensuring only certain key people can access the document once it is signed. Difference between e-signatures and digital signatures

Those new to this area should understand there is a difference between e-signatures and digital signatures. A digital signature is an e-signature with enhanced security. When a document goes through the signing process, the signature is authenticated to validate the person’s identity. That information is stored in the document and will show if anyone tampers with the document after it has been signed. I asked Box about the service, and a spokesman explained that the company is starting with e-signatures but working on digital-signature verification capabilities for release later this year. This includes the ability to use SMS and/or passwords. In parallel, Box is working to integrate with a third-party trust provider to bring full digital-signature capabilities. Customers who require this today can work with a number of partners, such as DocuSign. Box also launches Enterprise Plus suite of toolsBox also introduced its Enterprise Plus suite. This is a new plan that includes the following add-ons: Box Shield, Box Governance, Box Relay, Box Platform, and Box Sign. The suite also includes the ability to send documents for signature directly from Salesforce. Enterprise Plus is available now to Box customers. Businesses currently using Box Digital Suites can keep their current plan or upgrade to Enterprise Plus at no additional cost. Box has done a nice job with the evolution of its product to meet the constantly changing demands of an increasingly digitized world. When the term “collaboration” is used, many people think of products such as Webex and Zoom. While those are certainly important, workers collaborate by sharing, editing, securing, and now signing content; no one does that better than Box, and I look at this company as one of the vendors enabling businesses to shift to composable organizations. The pandemic had an interesting impact on society, because it forced us to try many things with which we may not have been comfortable previously, such as signing documents electronically. Now that people have been exposed to this and have experienced the benefits, the demand is likely to stay high. As businesses adopt e-signatures, it’s important to think of this as part of the overall document management process, versus something done in isolation. More

Windows internet-facing servers are being targeted by a new threat actor operating “almost completely in-memory,” according to a new report from the Sygnia Incident Response team. The report said that the advanced and persistent threat actor — which they have named “Praying Mantis” or “TG1021″ — mostly used deserialization attacks to load a completely volatile, custom malware platform tailored for the Windows IIS environment.”TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine’s memory and leaves little-to-no trace on infected targets,” the researchers wrote.”The threat actor utilized the access provided using the IIS to conduct the additional activity, including credential harvesting, reconnaissance, and lateral movement.”Over the last year, the company’s incident response team has been forced to respond to a number of targeted cyber intrusion attacks aimed at several prominent organizations that Sygnia did not name.”Praying Mantis” managed to compromise their networks by exploiting internet-facing servers, and the report notes that the activity observed suggests that the threat actor is highly familiar with the Windows IIS platform and is equipped with 0-day exploits.”The core component, loaded onto internet-facing IIS servers, intercepts and handles any HTTP request received by the server. TG1021 also use an additional stealthy backdoor and several post-exploitation modules to perform network reconnaissance, elevate privileges, and move laterally within networks,” the report explained. 

“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of operations security. The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic.” The actors behind “Praying Mantis” were able to remove all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth. The researchers noted that the actors’ techniques resemble those mentioned in a June 2020 advisory from the Australian Cyber Security Centre, which warned of “Copy-paste compromises.”The Australian notice said the attacks were being launched by “sophisticated state-sponsored actor” that represented “the most significant, coordinated cyber-targeting against Australian institutions the Australian Government has ever observed.”Another notice said the attacks were specifically targeting Australian government institutions and companies. “The actor leveraged a variety of exploits targeting internet -acing servers to gain initial access to target networks. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications and are used to execute a sophisticated memory-resident malware that acts as a backdoor,” the Sygnia report said. “The threat actor uses an arsenal of web application exploits and is an expert in their execution. The swiftness and versatility of operation combined with the sophistication of post-exploitation activities suggest an advanced and highly skilful actor conducted the operations.”The threat actors exploit multiple vulnerabilities to leverage attacks, including a 0-day vulnerability associated with an insecure implementation of the deserialization mechanism within the “Checkbox Survey” web application.They also exploited IIS servers and the standard VIEWSTATE deserialization process to regain access to compromised machines as well as “This technique was used by TG1021 in order to move laterally between IIS servers within an environment. An initial IIS server was compromised using one of the deserialization vulnerabilities listed above. From there, the threat actor was able to conduct reconnaissance activities on a targeted ASP.NET session state MSSQL server and execute the exploit,” the report noted.It added that the threat actors have also taken advantage of vulnerabilities with Telerik products, some of which have weak encryption. Sygnia researchers suggested patching all .NET deserialization vulnerabilities, searching for known indicators of compromise, scanning internet-facing IIS servers with a set of Yara rules and hunting for suspicious activity on internet-facing IIS environments.  More

According to the latest HP Wolf Security Threat Insights Report, email is still the most popular way for malware and other threats to be delivered, with more than 75% of threats being sent through email messages. The report — covering the first half of 2021 — is compiled by HP security analysts based on customers who opt to share their threat alerts with the company. HP’s researchers found that there has been a 65% rise in the use of hacking tools downloaded from underground forums and filesharing websites from H2 2020 to H1 2021. Some of the tools are able to solve CAPTCHA challenges using computer vision techniques. Some of the most targeted sectors include manufacturing, shipping, commodity trading, maritime, property and industrial supplies. Ian Pratt, global head of security at HP, said the proliferation of pirated hacking tools and underground forums are allowing previously low-level actors to pose serious risks to enterprise security.””Simultaneously, users continue to fall prey to simple phishing attacks time and time again. Security solutions that arm IT departments to stay ahead of future threats are key to maximizing business protection and resilience,” Pratt said. The report notes that affiliates of Dridex — which is now the top malware family isolated by HP Wolf Security — have been selling access to breached organizations to other threat actors, including ransomware groups. 

Some criminal groups are now also using CryptBot malware to deliver banking trojan DanaBot, and cyberattackers are increasingly targeting business executives. “In March 2021, HP Wolf Security isolated a multi-stage Visual Basic Script malware campaign targeting senior executives. The targets received a malicious ZIP attachment by email, named using their first and last names,” the report said. “It is likely the threat actor obtained employee names and email addresses from publicly available information online. The archives contained an obfuscated VBS downloader that downloads a second VBS script from a remote server to the user’s %TEMP% folder. The first stage script was heavily obfuscated and had a low detection rate — only 21% of anti-virus scanners on VirusTotal detected it as malicious.”  The company also found a résumé-themed malicious spam campaign that targeted shipping, maritime, logistics and related companies in Italy, Japan, Chile, UK, Pakistan, the US, and the Philippines. According to HP, these attacks exploit a Microsoft Office vulnerability to deploy the commercially available Remcos RAT and gain backdoor access to infected computers.”Threat actors are continuing to exploit old vulnerabilities in Microsoft Office, underlining the need for enterprises to patch out-of-date Office versions in their environments,” HP’s researchers wrote. “We saw a 24% increase in CVE-2017-11882 exploits in H1 2021 compared to H2 2020. Otherwise, there was no significant change in the vulnerabilities exploited by attackers over the reporting period compared to H2 2020.”Alex Holland, the senior malware analyst at HP, said the cybercrime ecosystem continues to develop and transform, with more opportunities for petty cybercriminals to “connect with bigger players within organized crime, and download advanced tools that can bypass defenses and breach systems.” “We’re seeing hackers adapt their techniques to drive greater monetization, selling access on to organized criminal groups so they can launch more sophisticated attacks against organizations,” Holland said. “Malware strains like CryptBot previously would have been a danger to users who use their PCs to store cryptocurrency wallets, but now they also pose a threat to businesses. We see infostealers distributing malware operated by organized criminal groups — who tend to favor ransomware to monetize their access.”The report adds that threats downloaded using web browsers rose by 24%, driven mostly by cryptocurrency mining software.Nearly half of all email phishing lures used invoices and business transactions, while another 15% were replies to intercepted email threads. The days of cybercriminals using the COVID-19 pandemic as a lure seems to have ended, considering less than 1% of emails used the pandemic, and there was a 77% drop from H2 2020 to H1 2021 in its usage. 
HP
The report attributes the stolen email thread technique to Emotet, which law enforcement agencies took down in January. “We saw large Emotet campaigns targeting Japanese organizations using lures created from stolen email threads — a technique called email thread hijacking. Following the takedown, the proportion of malware being distributed via Word documents fell significantly because Emotet’s operators preferred to use a Wordbased downloader,” the report said. Archive files, spreadsheets, documents and executable files were the most common types of malicious attachments. According to HP’s team, almost 35% of malware captured had not been previously known. “Cybercriminals are bypassing detection tools with ease by simply tweaking their techniques. We saw a surge in malware distributed via uncommon file types like JAR files — likely used to reduce the chances of being detected by anti-malware scanners,” Holland added. “The same old phishing tricks are reeling in victims, with transaction-themed lures convincing users to click on malicious attachments, links and web pages.”Pratt explained that as cybercrime becomes more organized and smaller players can easily obtain effective tools and monetize attacks by selling on access, there’s no such thing as a minor breach. He noted that the endpoint continues to be a huge focus for cybercriminals. “Their techniques are getting more sophisticated, so it’s more important than ever to have comprehensive and resilient endpoint infrastructure and cyber defense,” Pratt said. “This means utilizing features like threat containment to defend against modern attackers, minimizing the attack surface by eliminating threats from the most common attack vectors — email, browsers, and downloads.” More

Because I write so often about VPNs, I tend to get a lot of reader questions. In this article, I’m going to do my best to answer questions from readers about using a VPN on a Mac. I’m also going to recommend VPNs that all must have a certain set of specs: Kill switch, no leaking, and fast. These are our table stakes for recommendations.  The VPNs below allow five or more simultaneous connections, as well, so if you have an iPhone and an iPad as well as a Mac, you can protect all three with one license. With that, let’s dive in.

Heavy hitter in the VPN market

Mac, iPad, iPhone: Yes, yes, and yesSimultaneous connections: 6Kill switch: YesLogging: Email address and billing information onlyTrial: 30-day refund guaranteeCountries: 60Best price: $89 for two years ($3.30 per month)NordVPN is one of the heavy hitters in the VPN market. In our aggregate speed test ranking, it came in first overall. We found that Nord’s user interface was crisp and clean, and the product was quick and easy to install. It also doesn’t get in the way. It runs when you want it to, but you can quickly shut it off when you’re back at home or in the office.Full review: NordVPN review: A market leader with consistent speed and performanceWe were quite intrigued by the five communications services offered: P2P, Double VPN, Dedicated IP, Onion Over VPN, and Obfuscated (which means “to render obscure, unclear, or unintelligible). The Double VPN feature is designed to run your data through a second VPN server, and while that’s a great idea, I found it was unreliable in real-world usage.Also: Meet NordSec: The company behind NordVPN wants to be your one-stop privacy suiteBeyond the Apple platforms, NordVPN supports Windows and Android. And beyond that, NordVPN has clients a huge number of platforms ranging from all the way back to Windows XP, forward to Raspberry Pi, Synology, and Western Digital, along with QNAP NAS boxes, Chromebook, a whole bunch of routers, and more.

View Now at NordSec

Among the fastest VPNs tested

Mac, iPad, iPhone: Yes, yes, and yesSimultaneous connections: 5Kill switch: YesLogging: NoTrial: 45-day refund guaranteeCountries: 80Best price: $95.88 for one year ($7.99 per month)Hotspot Shield came in second in our aggregate performance ranking, but that was because the performance was somewhat inconsistent. For some testers (myself included), Hotspot Shield was among the fastest VPNs tested. I actually found that some connections increased in speed when using Hotspot Shield, which feels almost like a violation of the laws of physics. But for other testers, performance was lower.Full review: Hotspot Shield review: Here’s a VPN that actually lives up to its hypeThat’s why we always recommend you take advantage of return policies and test actively before your money-back time is up.Hotspot Shield achieves its rather unexpected performance gains because it uses its own proprietary network and protocol. Those who love debating VPN protocols might be disappointed because “Catapult Hydra” is your only choice. But don’t let it keep you away, because — at least from America to other countries, which is how I tested — it works.Client installs were straightforward. You can’t modify some options until after you connect, which is vaguely annoying. But it gets the job done, and its speed, if it works for you, is something to behold.

View Now at Hotspot Shield

Payment via Bitcoin available for utmost anonymity

Mac, iPad, iPhone: Yes, yes, and yesSimultaneous connections: 5Kill switch: YesLogging: NoTrial: 30-day refund guaranteeCountries: 94Best price: $99.95 for one year ($8.32 per month-ish)ExpressVPN came in third in our aggregated performance testing. In one way, it was more like NordVPN than Hotspot shield, in that the standard deviation was low. What this means is that the performance numbers were generally consistent across all testers. Hotspot’s numbers varied considerably across testers.Full review: ExpressVPN review: A fine VPN service, but is it worth the price?Unlike Nord and Hotspot, ExpressVPN offers a 30-day money-back guarantee, not a 45-day. That’s not too much of a loss because if you make testing a priority, you can certainly determine if ExpressVPN works for you within a month. One standout benefit ExpressVPN offers that the others don’t is payment via Bitcoin. If you want to remain as anonymous as possible, Bitcoin payment makes sense.Oddly enough, the company advertises that its one year plan bills at $99.95, but they then list that a per-month fee of $8.32. 8.32 times 12 is 99.84, not 99.95. Eleven cents doesn’t really matter, but math clearly isn’t someone’s strong suit.One feature I really liked was the network-wide speed test. Once in the client, you can tell ExpressVPN to scan its entire network and tell you server speeds for each server. It takes a few minutes, but it’s great for not only picking the fastest server but for getting a feel for network performance overall.On the downside, we run into a weird security issue with something called Security Firewall Ltd. I recommend you read the review, as well as ExpressVPN’s response, to decide if this is of concern to you.I liked ExpressVPN. It was a breeze to set up and configure. I like how you can determine server speed across the entire network. And searching, saving, and configuring locations is dead simple. If you’re using a VPN to protect your coffee shop surfing, it’s fine. But if you’re using a VPN to protect your location to protect your life, I’d think twice.

View Now at ExpressVPN

So there you go. Three VPNs with well-considered configurations for Macs, iPhones, and iPads.

Do I even need a VPN on a Mac?

This comes because the Mac is often considered more secure than Windows. By virtue of both the smaller number of units sold (making it a less juicy target for hackers) and Apple’s tight lock on hardware/software integration, the Mac is somewhat more secure than Windows. That means less malware runs on the Mac platform.But you don’t use a VPN primarily to protect against malware. You use a VPN to protect the data you transmit and receive and prevent your location from being determined by your visit sites. Apple will be offering iCloud+ Private Relay when MacOS Monterey comes out in the fall, and while that does offer some protection, it’s not a full VPN.So, yes, you need a VPN on the Mac because you want to protect your communications when you’re out and about and your location any time you don’t want anyone to know where you’re located.

How should I choose a VPN for my Mac?

This comes from the question some readers ask about whether they should limit their VPN choices to products sold on the Mac App Store and because Mac programs that are built expressly for the Mac tend to integrate better.You definitely want a well-integrated VPN client into the Mac, but the Mac App Store puts some limitations on how a VPN can function. While I wouldn’t necessarily shy away from Mac App Store VPNs, it’s not necessarily a plus either.When you choose a VPN, the most important factor is going to be the security infrastructure of the VPN provider because you’re not just installing an app; you’re adopting a network.Look for VPNs with clean, responsive clients that have kill switches in case the connection drops, that are fast to start and stop that hides your location and traffic that doesn’t log your surfing behavior, and move data quickly.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More