Eliana Willis

Organisations should provide a proper channel through which anyone can report vulnerabilities in their systems. This will ensure potential security holes can be identified and plugged before they are exploited. Establishing a vulnerability disclosure policy (VDP) also would provide assurance to anyone, such as security researchers, acting in good faith that they would not face prosecution in reporting the vulnerability, said Kevin Gallerin, Asia-Pacific managing director of bug bounty platform, YesWeHack. In fact, creating such policies was more important than running bug bounty programmes, Gallerin said in a video interview with ZDNet. He noted that more companies today were embracing the need for a VDP, detailing a “safe and clear framework” through which information about security vulnerabilities could be submitted and how these should be handled within the organisation. 

Without a proper policy in place, security researchers might be less inclined to report a vulnerability or, when they did so, might not receive a response since the organisation’s employees lacked guidance on what they needed to do.”The information [then] gets lost and forgotten until the vulnerability eventually gets exploited,” Gallerin said, adding that a proper VDP would provide a structured channel to report security issues and mitigate the affected organisation’s risks by reducing their time to remediation. “We’re a strong advocate for this.”YesWeHack’s service offerings include helping enterprises establish their VDP, integrating vulnerability management with their internal workflows, as well as review and recommend changes to their existing VDP. The vendor was seeing growing demand for both its bug bounty and VDP services in this region, including China, Indonesia, and Australia, Gallerin said.  

Headquartered in France, the vendor has an office in Singapore and currently is running bug bounty programmes for Southeast Asian e-commerce operator, Lazada, and Chinese telecoms equipment manufacturer, ZTE. Some 30% of its customer base are in this region, of which half are in Singapore. Gallerin told ZDNet that YesWeHack was targeting for Asia-Pacific to account for half of its global clientele, adding that the bug bounty platform currently works with some 10,000 security researchers in this region. It has a global network of more than 25,000 security researchers. Its triage team comprises full-time employees in Singapore and France, who divide their time between triaging–to assess submissions in bug bounty programmes–and supporting research and development projects for internal deployment as well as tools for the hunter community.It previously ran a private bug bounty programme for Lazada, which saw $150,000 in bounties handed out to bug hunters, he said, but declined to say how many vulnerabilities were identified. The e-commerce operator had started out with smaller, private bug hunting exercises before gradually scaling up and launching its public bug bounty programme last month with YesWeHack, Gallerin said.He noted that most companies in Asia, compared to their US or European counterparts, were less comfortable discussing potential vulnerabilities in their systems and preferred to run private bug bounty programmes. They did, however, realise there likely were security holes their own teams had overlooked and saw bug bounty programmes as a way to identify, and plug, potential vulnerabilities, he said. The main objective here was to prevent potential data breaches, he added, which was a common concern amongst Asian companies, especially as businesses today increasingly were collecting and managing large volumes of personal customer data. According to Gallerin, YesWeHack’s hacker community had been able to find at least one critical vulnerability–which enabled full access to user data or infrastructure–in most bug bounty programmes it ran. RELATED COVERAGE More

Multiple civil rights groups banded together this week to end the use of facial recognition tools by large retailers. According to advocacy group Fight For the Future, companies like Apple, Macy’s, Albertsons, Lowes and Ace Hardware use facial recognition software in their stores to identify shoplifters. The group created a scorecard of retailers that they update based on whether the company is currently using facial recognition, will in the future or never will.  Stores like Walmart, Kroger, Home Depot, Target, Costco, CVS, Dollar Tree and Verizon have all committed to never using facial recognition in their stores in statements to Fight For the Future. Walgreens, McDonald’s, 7-Eleven, Best Buy, Publix, Aldi, Dollar General, Kohl’s, Starbucks, Shoprite and Ross are just a few of the companies that Fight For the Future believes may use facial recognition software in the future.But it isn’t just major retailers deploying facial recognition software. Backlash to private use of facial recognition culminated on Wednesday when Livonia skating rink in Michigan was accused of banning a Black teenager after its facial recognition software mistakenly implicated her in a brawl. Lamya Robinson told Fox2 that after her mom dropped her off at the skating rink last Saturday, security guards refused to let her inside, claiming her face had been scanned and the system indicated she was banned after starting a fight in March.”I was so confused because I’ve never been there,” Lamya told the local news outlet. “I was like, that is not me. who is that?” 

Lamya’s mother Juliea Robinson called it “basically racial profiling.””You’re just saying every young Black, brown girl with glasses fits the profile and that’s not right,” Robinson added. The skating rink refused to back down in a statement to the local news outlet, claiming their software had a “97 percent match.” “This is what we looked at, not the thumbnail photos Ms. Robinson took a picture of. If there was a mistake, we apologize for that,” the statement said. Caitlin Seeley George, campaign director at Fight for the Future, told ZDNet that Lamya’s situation was “exactly why we think facial recognition should be banned in public places.” “This girl should not have been singled out, excluded from hanging out with her friends, and kicked out of a public place. It’s also not hard to imagine what could have happened if police were called to the scene and how they might have acted on this false information,” Seeley George said. “We’ve seen time and again how this technology is being used in ways that discriminate against Black and brown people, and it needs to stop. Local lawmakers in Portland enacted an ordinance that bans use of facial recognition in places of public accommodation like restaurants, retail stores, and yes, skating rinks. We’re calling for Congress to enact such a ban at the federal level as well.”The situation occurred after Robert Williams, another Black Michigan resident arrested based on a mistake by facial recognition software, testified in Congress this week. Williams came forward in June 2020 as one of the first people to confirm having been arrested based on faulty facial recognition software in use by police. He filed a lawsuit against the Detroit Police Department with the ACLU after he was arrested on the front yard of his home as his children watched, all based on a facial recognition match that implicated him in a robbery. After 16 hours in holding, he was shown the photo that led to the match and held it up to his face, causing one officer to say “the computer must have gotten it wrong.” Police put a security camera photo into their database and Williams’ driver’s license was listed as a match. “Detroiters know what it feels like to be watched, to be followed around by surveillance cameras using facial recognition,” said Tawana Petty, national organizing director at Data for Black Lives. 

“In Detroit, we suffer under Project Green Light, a mass surveillance program that utilizes more than 2000 flashing green surveillance cameras at over 700 businesses, including medical facilities, public housing and eating establishments,” Petty added, noting that the cameras using facial recognition are monitored at real-time crime centers, police precincts and on officers’ mobile devices 24/7. She said in a statement that it is difficult to explain the psychological toll it takes on a community to know that every move is being monitored “by a racially-biased algorithm with the power to yank your freedom away from you.” “We must ban facial recognition from stores and get this invasive technology out of every aspect of our lives,” Petty said. EFF senior staff attorney Adam Schwartz told ZDNet that facial recognition use is growing among retailers and that the racial implications of stores having databases of “potential” shoplifters was particularly fraught considering the privacy implications. But he disagreed with Fight For The Future’s stance, explaining that instead of banning its use among private organizations, there should be opt-in consent requirements that would stop stores from randomly scanning every face that walks in. He noted the need for innovation and some positive instances of facial recognition being used across society, including the iPhone feature that allows you to open your phone with your face. Ahmer Inam, chief AI officer at Pactera EDGE, said much of the backlash toward retail use of facial recognition is because companies have not been transparent about how they’re using it. “Using a mindful AI approach, a powerful tool like facial recognition can yield tremendous benefits for the consumer — as well as the retailer. But values such as privacy, transparency, and ethical-use have to be top-of-mind during the build. It’s something we’ve seen work effectively for our facial recognition and other AI projects,” Inam said. “The biggest challenge facial recognition ‘faces’ right now is model bias that results in false positives. For retailer’s, it isn’t just about building a facial recognition-based system — but to what purpose and intention.” Inam listed multiple examples of facial recognition being used to improve the retail experience like that of CaliBurger, which rolled out kiosks that use facial recognition to connect orders to customers. But Seeley George said companies are adopting facial recognition in the name of “convenience” and “personalization,” while ignoring how they abuse peoples’ rights and put them in danger. “The stores that are using or are considering using facial recognition should pay attention to this call from dozens of leading civil rights and racial justice organizations who represent millions of people,” Seeley George said.”Retailers should commit to not using facial recognition in their stores so we can champion their decision, or be prepared for an onslaught of opposition.” More

The State Department announced a $10 million reward for any information about hackers working for foreign governments. 

The measure is aimed squarely at those participating in “malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act.” Officials said in a release that this included ransomware attacks targeting “critical infrastructure.” In addition to ransomware, the notice mentions a number of other cyber violations and notes that it applies to government computers as well as “those used in or affecting interstate or foreign commerce or communication.”Ransomware groups have made millions over the last two years attacking pipelines, manufacturers, hospitals, schools and local governments. While attacks on Colonial Pipeline and major meat processor JBS drew the biggest headlines, hundreds of healthcare institutions, universities and grade schools have suffered from damaging attacks. The DHS estimated that about $350 million in ransom was paid to cybercriminals in 2020.The reward program is run through the Diplomatic Security Service and has organized a “Dark Web (Tor-based) tips-reporting channel to protect the safety and security of potential sources.””The RFJ program also is working with interagency partners to enable the rapid processing of information as well as the possible relocation of and payment of rewards to sources. Reward payments may include payments in cryptocurrency,” the State Department said. “More information about this reward offer is located on the Rewards for Justice website at www.rewardsforjustice.net.”

POLITICO reported on Wednesday that the reward was part of a larger rollout of actions the Biden Administration was taking to address ransomware attacks. A multi-agency ransomware task force has been created that will lead both “defensive and offensive measures” against ransomware groups. The White House is also giving the task force the leading role in pushing government agencies and “critical infrastructure companies” to improve their defenses and shore up cybersecurity gaps. The task force will give Biden’s team weekly updates on the effort to beef up the government’s cybersecurity, according to Politico. US Senators met with deputy national security advisor Anne Neuberger on Wednesday afternoon where she explained the White House efforts to address ransomware attacks. CISA executive assistant director for cybersecurity Eric Goldstein was also on the call alongside officials from the FBI, DOJ and Treasury Department. The leaders of the Senate Judiciary also announced this week that they planned to hold a hearing on July 27 about ransomware. An anonymous source told Politico that cybersecurity officials asked for the authority to make some cybersecurity measures mandatory for certain infrastructure organizations. Adam Flatley, director of threat intelligence at cybersecurity company [redacted], worked on the Ransomware Task Force and contributed to a comprehensive guide for battling ransomware in April. He lauded the stopransomware.gov site and said offering a central location with free resources to help prevent, prepare for, report, and respond to ransomware attacks would be helpful for the most vulnerable organizations.”This is especially true for those organizations who have budget constraints that force them to go it alone, which is the case for so many good, hard working folks,” he added. Some experts questioned whether the reward would be an effective mechanism for tips about cyberattackers.Austin Berglas, who previously served as assistant special agent in charge at the FBI’s New York Office Cyber Branch, said there was potential for the reporting mechanism to turn “into a public payphone.””The difficulty is the amount of resources that will be necessary to separate the ‘signal’ from the ‘noise’ and identify the legitimate tips. Other considerations include attribution to, and information provided by the tipster. If there was an arrest made and follow on prosecution (based on an anonymous lead), investigators will have to be able to provide evidence of the crimes alleged by the anonymous party,” Berglas explained.  

ZDNet Recommends

“This may or may not be possible without the cooperation of the anonymous lead source. Also, OFAC has to be considered when making anonymous payments — how is due diligence going to be performed prior to making a payment to a foreign national?”Berglas also noted that rival malicious hacking groups may view this scheme as a way to make money and reduce the amount of competition in the market. He added that the measures could do little to address the elephant in the room — the fact that many ransomware groups are provided safe harbor in Russia. “There are numerous existing cases where warrants are obtained and red notices are disseminated for criminals residing in these countries,” Berglas said. Many cybersecurity experts also took notice of the specific language of the State Department’s notice, focusing in on the phrase “while acting at the direction or under the control of a foreign government.””It appears to be an attempt to short-cut the process of detailed attribution that is necessary to implicate a foreign government in collusion or cooperation with organized crime,” said Mike Hamilton, former DHS vice-chair for the State, Local, Tribal, Territorial Government Coordinating Council.”If the US government can incentivize someone to provide evidence of such, paying out $10M is probably a good deal considering the resources we bring to bear with the intelligence community for the same outcome.” More

Facebook said it has disrupted a network of hackers tied to Iran who were attempting to distribute malware via malicious links shared under fake personas. The social network’s cyber espionage investigations team has taken action against the group, disabled their accounts and notified the roughly 200 users who were targeted. 

The hackers — believed to be part of the Tortoiseshell group — were targeting military personnel and people who worked in the aerospace and defense industries in the United States, often spending months on social engineering efforts with the goal of directing targets to attacker-controlled domains where their devices could be infected with espionage enabling malware.On Facebook, roughly 200 accounts associated with the hacking campaign were blocked and taken down.”This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook said in a blog post. “Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and its activity on Facebook manifested primarily in social engineering and driving people off-platform (e.g. email, messaging and collaboration services and websites), rather than directly sharing of the malware itself.”Facebook said the highly focused campaign marked a departure from Tortoiseshell’s usual attack pattern. The group, estimated to have been active since 2018, is known for focusing primarily on the information technology industry, not aerospace and defense.  Moreover, Facebook said the campaign also used several distinct malware families, and that at least of a portion of their malware was custom developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). Some current and former MRA executives have links to companies sanctioned by the US government, Facebook said.”We saw [Tortoiseshell] pivot in 2020 to the new focus on aerospace and defense in the US,” said Mike Dvilyanski, head of cyber espionage investigations for Facebook. “We have no insights as to the level of seniority in companies that the targets had. This relates to our overall investigation in malware analysis but we are confident that part of the malware was developed by the MRA.”RELATED: More

Ransomware gangs are still using phishing as one of the main ways to attack an organization, according to a new survey from Cloudian featuring the insights of 200 IT decision-makers who experienced a ransomware attack over the last two years. More than half of all respondents have held anti-phishing training among employees, and 49% had perimeter defenses in place when they were attacked.  Nearly 25% of all survey respondents said their ransomware attacks started through phishing, and of those victims, 65% had conducted anti-phishing training sessions. For enterprises with fewer than 500 employees, 41% said their attacks started with phishing. About one-third of all victims said their public cloud was the entry point ransomware groups used to attack them.  “This reflects the increasing sophistication of phishing schemes, with attackers now mimicking emails from trusted associates such as high-level executives (known as ‘whaling’ attacks). These emails will sometimes include personal details, usually gleaned from social media, making it more likely that even a wary individual will fall prey,” the report explained. The speed of ransomware groups is also startling, with 56% saying ransomware actors managed to take over their data and send a ransom demand in under 12 hours. 30% said their data was taken in 24 hours. For companies attacked through phishing, 76% of victims noted that attackers took over systems within 12 hours. The report added that “44% of respondents’ total data was held hostage, with financial, operational, customer and employee data all being targeted.” Enterprises experienced an average downtime of three days.  The average financial cost for respondents was nearly $500,000, and 55% said they ended up paying the ransom, with an average ransom cost of $223,000. Nearly 15% said they paid $500,000 or more. Even after paying, just 57% were able to get all of their data back. 

“The findings reveal the cold, hard truth about such attacks: They are hard to prevent even when you’re prepared. Ransomware can penetrate quickly, significantly impacting an organization’s financials, operations, customers, employees and reputation. Even if you pay the ransom, other related costs can be significant,” the report said.  The other costs associated with responding to a ransomware attack added up to an average of $183,000. On average, victims got 60% of their costs covered through cyber insurance. But almost 90% of victims said their cyber insurance rates increased after they were attacked, and there was an average increase of 25%.  According to the survey, more than half of respondents dealt with additional impacts to “their financials, operations, employees, customers and reputation.” “The threat of ransomware will continue to plague organizations around the world if they do not change their approach and response to it,” said Jon Toor, chief marketing officer at Cloudian. Read the full report: 2021 Ransomware Victims Report.

ZDNet Recommends More

There’s never been a greater need for cybersecurity experts. Recent studies show that big companies experience significant security issues every 12 hours. If you’re interested in a security-related career in the tech industry, this $69 Infosec4TC Platinum Membership: Lifetime Access deal could be your path forward. The membership gives you access to over 90 courses that you can take at your own pace, and they are all security-related. Even better, the membership will give you access to any new courses that are offered in the future.

In addition to the courses, the membership includes free access to the student portal, all certification training bundles, future updates, private social media groups, frequently updated extra course materials, and the most recent exam questions. The courses include Hacking using Python From A to Z, The Complete Ethical Hacker Course, and multiple courses for becoming a Certified Information Systems Security Professional- CISSP 2021, including CISSP® Exam Preparation Training Course.There are also classes for certification as an Information Security Manager, as well as an Information Systems Auditor. Plus, the membership includes a free career consulting and planning session. Infosec4TC is familiar with the essentials, requirements, and concerns of businesses today. They will work with you to make sure you reach the career title you want. The company has the highest passing rate for certification, so they make great mentors.Not only can you get the skills you need today for a career in cybersecurity, but you can rest assured that you will be able to keep those skills up-to-date for as long as you’re working. And there’s no doubt that the training works because Infosec4TC is rated 4.4 out of 5 stars on Trustpilot. Don’t pass up this chance to get a lifetime of self-paced training, get the Infosec4TC Platinum Membership: Lifetime Access today, while it is available for only $69.

ZDNet Recommends More

A prolific ransomware group that targets organisations around the world looks for sensitive info and files that suggest its victims are aware of illegal activity, with the aim of exploiting this as additional leverage in their hunt to make money from ransom payments. The Mespinoza ransomware group – also known as PYSA – demands millions of dollars in exchange for a decryption key and threatens to publish private information stolen from the compromised network if the victims don’t pay.  

Mespinoza has claimed victims around the world, but focuses predominantly on the United States, where it has targeted organisations in manufacturing, retail, engineering, education and government. The cybercrime group has become so prolific that the FBI issued a warning about attacks.  SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)     Cybersecurity company Palo Alto Networks has analysed Mespinoza attacks and detailed what it describes as an “extremely disciplined” ransomware group, which actively searches for evidence of illegal activity as well as other sensitive information to use as blackmail for double extortion campaigns. Like many ransomware groups, Mespinoza first gains a foothold in networks by compromising remote desktop protocol (RDP) systems. It’s uncertain whether the attackers use brute force attacks or use phishing attacks to steal login credentials, but by using legitimate usernames and passwords to access systems, it’s much easier for them to remain undetected as they move around the network and attempt to lay the foundations for the ransomware attack. But this isn’t the only way in which Mespinoza ensures that it has persistent access to hacked networks, as the group also installs a backdoor, which – based on the malware’s code – researchers have named Gasket. This in turn references a capability called “MagicSocks”, which uses open-source tools to provide continued remote access to the network.  

All of this allows the attackers to maintain persistence as they carefully take the time to assess the network. Mespinoza takes specific interest in file and server names relating to sensitive and confidential information, financial data and even information that might allude to illegal activity by the victim for use as leverage when demanding a ransom.  “They search using sensitive terms such as illegal, fraud, and criminal. In other words, the actors are also interested in illegal activities known to the organisation that could provide extreme leverage should a negotiation start,” Alex Hinchliffe, threat intelligence analyst for Unit 42 at Palo Alto Networks, told ZDNet. The ransom demands are often over $1.5 million, but the group is willing to negotiate with victims and has received many payments of almost $500,000 in exchange for a decryption key as well as to prevent stolen information from being published.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The group has been active since April 2020 – a time when the global pandemic forced many organisations to suddenly adapt to remote working, making many more vulnerable to RDP attacks. And while Mespinoza isn’t as high-profile as other ransomware groups, the fact that it has been operating for over a year suggests it’s successful.”They’re relatively new but making a large impact given the number of victims listed on their leak site, and likely making a lot of money from their extortion,” said Hinchliffe. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefIt’s currently not known where Mespinoza is operating from, but it’s likely that their attacks will continue so long as they’re making money from ransoms – and organisations with unsecured RDP will remain a prime target for campaigns by this group and other cyber-criminal ransomware operations. “Organisations need to know more about their attack surface area because without knowing their footprint, especially the internet-connected part, it’s almost impossible to see what’s happening, let alone defend against it,” said Hinchliffe. “Far too many organisations have services such as a RDP exposed to the internet and are exposing themselves to the risk of remotely launched attacks, negating the need from the threat actor to create and deliver phishing attacks at much higher cost to them,” he added. Organisations can help prevent their RDP services from being compromised by avoiding the use of default passwords and by applying multi-factor authentication to user accounts. MORE ON CYBERSECURITY More