Eliana Willis

Google has announced the general availability of the Google Cloud Certificate Authority Service (CAS). 

On Monday, head of solutions strategy Anoosh Saboori said that following a successful public preview announcement in October, the company has observed a “tremendous” reception from the market, as well as many “innovative use cases for the service.” Google CAS is a scalable service for managing and deploying private certificates via automation, as well as manage public key infrastructure (PKI). The tech giant says the platform was created to “address the unprecedented growth in certificates in the digital world” prompted by the popularity of cloud services, Internet of Things (IoT), containers, microservices, smart devices, and next-generation connectivity.   Clients have implemented CAS for use cases including identity management, bolstering security around data transport, and creating digital signature services.  Another use case cited by Google was using CAS as a “pay as you go” solution in IoT.  “We saw small to midsize companies who are building IoT peripherals, like wireless chargers, USB devices, or cables reaching out with a need for certificates,” Saboori commented. “They do not want to invest in PKI and CAs as it is not their core business and the economy of it does not make sense given their market size.” Three new members have now joined the CAS partnership program, Keyfactor, Jetstack and Smallstep. The program’s existing partners were Venafi and AppViewx.  

In a separate blog post announcing the partnership, Keyfactor highlighted two challenges associated with the increased adoption of PKI and digital certificates: the means to scale PKI to cope with demand, and how to manage what could be thousands of certificates across an organization. “To thrive in the era of hybrid and multi-cloud infrastructure, IT and security teams need to seriously rethink how they deploy their PKI and manage digital certificates,” Keyfactor says. “The key to success is simple, repeatable processes for certificate management across all platforms and devices.” In related news, in April, Broadcom said a new strategic partnership would see its Symantec suite and enterprise operations move over to Google Cloud in order to improve service delivery. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The International Criminal Police Organization, Interpol, has called for collaboration between police and industry to prevent a “potential ransomware pandemic”. Ransomware, though not the most costly cybercrime – that title goes to business email compromise, according to the FBI 2020 figures for victim payments – has hit a nerve with world leaders and law enforcement agencies due to a spate of disruptive, high-stakes ransomware attacks in recent months, including on US critical infrastructure. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action,” said Interpol secretary general Jürgen Stock. SEE: Security Awareness and Training policy (TechRepublic Premium)Interpol said more collaboration against ransomware was made in the face of its “exponential growth” in the wider cybercrime ecosystem, with criminals shifting their business model towards providing ransomware as a service.An attack in June shutdown major eastern seaboard fuel distribution network Colonial Pipeline for days. Another attack that month on global meatpacker JBS USA netted its attackers $11 million, and this month’s ransomware supply chain attack on tech firm Kaseya affected the firm’s managed service provider customers and over 1,000 of their customers, including Coop, the fourth largest supermarket chain in Sweden.      According to the newly launched site, Ransomwhere, which tracks payments to ransomware attackers, the most lucrative operation right now is REvil/Sodinokibi – the ransomware-as-a-service platform behind the attacks on JBS and Kaseya. 

The group has demanded $70 million to provide Kaseya a universal decryption tool, but this year alone it has grabbed $11.3 million in bitcoin payments.   “Despite the severity of their crimes, ransomware criminals are continuously adapting their tactics, operating free of borders and with near impunity,” said Stock. “Much like the pandemic it exploits, ransomware is evolving into different variants, delivering high financial profits to criminals,” he added.US president Joe Biden in recent talks with Russian president Vladimir Putin said critical infrastructure should be “off limits”. The White House press secretary said Biden told Putin that “if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.”The US stance is that the Russian government is still responsible for cybercriminals operating within its jurisdiction even if the activity is not backed by the Kremlin, which was blamed by the US for the SolarWinds supply chain attack. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefExactly what action the US would take in the absence of a Russian-led clampdown remains to be seen. However, last week, asked whether it would make sense for the US to attack the servers used in ransomware attacks, Biden said, “Yes”, according to Reuters. Interpol is looking to partner with private sector cybersecurity firms as well as government agencies and CERTs or computer emergency response teams to disrupt ransomware gangs.    “Policing needs to harness the insights of the cyber security industry, computer emergency response teams and other agencies to identify and disrupt cyber criminals as part of a true coalition, working together to reduce the global impact of cybercrime,” said Stock. More

The federal government wants to strengthen Australia’s cybersecurity regulations and has suggested seven areas for policy reform, including the introduction of mandatory governance standards for larger businesses, a code for how personal information is handled, and a system for regulating smart devices.In a bid to “further protect the economy from cybersecurity threats”, the government is proposing [PDF] either a voluntary or mandatory set of governance standards for larger businesses that would “describe the responsibilities and provide support to boards”. While the crux of both options is similar, the mandatory code would require the entities covered to achieve compliance within a specific timeframe. A mandatory code would also see enforcement applied. A voluntary option would not require specific technical controls to be implemented and would rather be treated as a suggestion.The government would prefer the code be voluntary, however, saying “on balance, a mandatory standard may be too costly and onerous given the current state of cybersecurity governance, and in the midst of an economic recovery, compared to the benefits it would provide”.It also flagged there was no existing regulator with the relevant skills, expertise, and resources to develop and administer a mandatory standard.Small businesses, meanwhile, have had a “cyber health check” function suggested. A voluntary cybersecurity health check program would see a small business be awarded a trust mark that they could use in marketing. Businesses applying for the health check would self-assess their own compliance, with a basic level of due diligence provided by government or a third party, the paper poses. It would also expire after 12 months.

This idea was pulled from the UK government’s program called Cyber Essentials.The paper also proposes the creation of an enforceable code under a federal piece of legislation to increase the adoption of cybersecurity standards. It said the Privacy Act has the greatest potential to set broad cybersecurity standards in relation to personal information.”Establishing a code under the Privacy Act could drive the adoption of cybersecurity standards across the economy by creating regulatory incentives for uptake,” it said.This code would specify minimum, rather than best practice approaches, but said it was unrealistic to mandate the Australian Signals Directorate’s Essential Eight through a cybersecurity code.See also: ACSC introduces Essential Eight zero level cyber maturity and aligns levels to tradecraftA cybersecurity code would have some limitations, however, and would only apply to the protection of personal information. A code would also only apply to entities that are covered by the Privacy Act.The government is also considering regulatory approaches to increasing responsible disclosure policies, again posing a voluntary and mandatory option.The voluntary option would see the government release guidance or toolkits for industry on the process of developing and implementing responsible disclosure policies. The mandatory option, it said, could be incorporated into the potential cybersecurity standard for personal information.The paper also discusses the introduction of clear legal remedies for consumers after a cybersecurity incident occurs, as currently there are limited legal options for consumers to seek remedies or compensation.It asks respondents what amendments can be made to the Privacy Act 1988 and Australian Consumer Law to sufficiently cover cybersecurity, as well as what other actions should the government consider.Regulating IoT devices is also proposed. “We believe that one reason that many smart devices are vulnerable is because competition in the market is primarily based on new features and cost,” the paper says. “Unfortunately, consumers often aren’t able to tell the difference between a secure and insecure device, which limits commercial incentives to compete on cybersecurity and leads consumers to unknowingly adopt cybersecurity risk.”In a bid to mitigate this, the government last year released the voluntary Code of Practice: Securing the Internet of Things for Consumers that contains 13 principles, or expectations the government has on manufacturers, about the security of smart products.The discussion paper suggests taking this further and making the code mandatory. The standard would require manufacturers to implement baseline cybersecurity requirements for smart devices.It also believes consumers do not currently have the tools to easily understand whether smart devices are “cyber secure” as there is often a lack of clear, accessible information available to them.Potentially remedying this are proposals that would include the introduction of a voluntary star rating label or a mandatory expiry date label.Details on how the former would take shape are slim, but the discussion paper details similar schemes underway in the UK and Singapore. The Singapore scheme consists of four cybersecurity levels, with each indicating a higher level of security and/or additional security testing.The mandatory expiry date label, meanwhile, would display the length of time that security updates will be provided for the smart device. This kind of label would not require independent security testing, and therefore would be a lower-cost approach compared to a star rating label, the government said. In its “pros and cons” table, the government highlights the expiry date option as its preferred way forward.Submissions on the discussion paper close 27 August 2021.LATEST CYBER FROM CANBERRA More

Image: Getty Images
The Australian Cyber Security Centre (ACSC) has refreshed its Essential Eight implementation guide, which now sees all of the Essential Eight strategies become essential. “The Essential Eight Maturity Model now prioritises the implementation of all eight mitigation strategies as a package due to their complementary nature and focus on various cyber threats,” the ACSC said. “Organisations should fully achieve a maturity level across all eight mitigation strategies before moving to achieve a higher maturity level.” The ACSC now states that the maturity model is focused on “Windows-based internet-connected networks”, and while it could be applied to other environments, other “mitigation strategies may be more appropriate”. Compared to its last release, the maturity model adds a new maturity level zero, which is defined as environments with weaknesses that cannot prevent commodity attacks in level one, and the levels are aligned to cyber tradecraft and tactics used. “Depending on an adversary’s overall capability, they may exhibit different levels of tradecraft for different operations against different targets. For example, an adversary capable of advanced tradecraft may use it against one target while using basic tradecraft against another,” the guide states. “As such, organisations should consider what level of tradecraft and targeting, rather than which adversaries, they are aiming to mitigate.”

Attacks within maturity level one include those using publicly-available attacks in a spray-and-pray fashion to gain any victim they can, while those at maturity level two will invest more time in a target and tooling. “These adversaries will likely employ well-known tradecraft in order to better attempt to bypass security controls implemented by a target and evade detection,” the guide says. “This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.” At the highest level, maturity level three, the attacks are not as reliant on public exploits, will move laterally through networks once access has been gained, and can undertake tasks like stealing authentication tokens. The guide does warn that even the best cyber protections may not be enough. “Maturity level three will not stop adversaries that are willing and able to invest enough time, money and effort to compromise a target,” it says. “As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual.” Digging into the levels While the guide has the same overall headings as its previous iteration, many of the details have changed, becoming more precise while also reducing various timeframe recommendations.Of particular note for level three is the constant recommendation of centralised logging across systems, ensuring logs cannot be changed, and that they are used in the event of a cyber incident. Under application control, maturity level one calls for “execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets” to be prevented on workstations within user profiles and temp folders. The next level up sees this extended to internet-facing servers and the executables white-listed. At level three, the restrictions include all servers as well as whitelisting drivers, using Microsoft’s block rules, and validating the whitelist. For patching applications, the level one recommendations now drop the patching of apps on internet-facing servers down to two weeks, or 48 hours if an exploit exists — for workstation software, the deadline is a month. The ACSC is also recommending the use of vulnerability scanners daily on internet-facing servers, and fortnightly otherwise. “Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed,” the level one recommendation states. At level two, the workstation app patch deadline drops to two weeks, while all other updates get a month-long deadline. Also at level two, vulnerability scanning should occur at least weekly on workstations, and fortnightly for all other parts of the network. At the highest level, any unsupported application is removed, and workstation patching drops to 48 hours if an exploit exists. See also: The winged ninja cyber monkeys narrative is absolutely wrong: Former NCSC chief Patching for operating systems has the same timelines and recommendations for vulnerability scanning, with the inclusion at level three of only using the latest, or immediately previous release, of a supported operating system. The ACSC has also recommended for macros to be disabled for users without a business case, macros in downloaded files to be blocked, antivirus solutions to scan macros, and macro security to not be allowed to be changed by users. Level two sees macros blocked from Win32 API calls, and attempted marco executions logged. For level three, macros need to run from within a sandbox or trusted location and need to be validated and digitally signed by trusted publishers that occupy a list that is reviewed at least annually. Under application hardening, as well as the 2017 recommendations to block ads and Java in browsers, the ACSC adds that users cannot change security settings and IE 11 cannot process content from the net. Level two sees Office and PDF software banned from making child processes, while also being blocked from creating executables, injecting code into other processes, or activating OLE packages. Any blocked PowerShell scripts executions need to be logged, and Office and PDF software security settings cannot be changed. Internet Explorer 11, NET Framework 3.5 and lower, and PowerShell 2.0 are disabled or removed at level three. PowerShell could also be configured to use Constrained Language Mode, ACSC states. See also: Australia’s tangle of electronic surveillance laws needs unravellingLooking at restricting admin privileges, the guide now says privileged accounts, except for privileged service accounts, should be prevented from accessing the internet and run only in a privileged environment that does not allow unprivileged logging on. At level two, access to privileged systems is disabled after a year unless reauthorised, and is removed after 45 days of inactivity. The ACSC added that privileged environments cannot be visualised on unprivileged systems, admin activities should use jump servers, use and changes to privileged accounts should be logged, and credentials are unique and managed. At level three, the privileged service accounts exception is removed, just-in-time administration is used, privilege access is restricted only to what users need, and Windows Defender Credential Guard and Windows Defender Remote Credential Guard are used. Multi-factor authentication (MFA) is recommended on third-party services that use an organisation’s data, and on a entity’s internet-facing servers. This increases to recommending MFA for privileged users and logging all MFA interactions at level two; for level three, it is expanded to include “important data repositories” and ensuring MFA is “verifier impersonation resistant “. On backups, the prior monthly recommendation is dropped in favour of “a coordinated and resilient manner in accordance with business continuity requirements”, and timeframes for testing recovery from backup and holding backup data are dropped. Added as a recommendations is ensuring unprivileged users have read-only access to their own backups. At level two, the read-only access is extended to privileged users, and at level three only backup administrators can read backups, and only “backup break glass accounts” are capable of modifying or deleting backups. Related Coverage More

Billion-dollar fashion brand Guess has sent letters out to an unknown number of people whose information they lost during a ransomware attack in February. First shared by Bleeping Computer’s Sergiu Gatlan, the letters state that “unauthorized access” to certain Guess systems between February 2, 2021 and February 23, 2021 led to a breach of Social Security numbers, driver’s license numbers, passport numbers and financial account numbers.The letters — signed by Guess HR senior director Susan Tenney — only went out to four residents in Maine, per the state’s guidelines, but the company implied that more people were affected. In a statement to ZDNet, a Guess spokesperson would not answer questions about how many victims there were, only saying that “no customer payment card information was involved.”The Guess spokesperson would not confirm whether the breach was part of a ransomware attack, but the company appeared on the victim data leak site for ransomware group DarkSide in April, and the group openly boasted about stealing 200 GB of data from the fashion brand during an attack in February. “Guess?, Inc. recently concluded an investigation into a security incident that involved unauthorized access to certain systems on Guess?, Inc.’s network. We engaged independent cybersecurity firms to assist in the investigation, notified law enforcement, notified the subset of employees and contractors whose information was involved and took steps to enhance the security of our systems,” the spokesperson told ZDNet. “The investigation determined that no customer payment card information was involved. This incident did not have a material impact on our operations or financial results.”

In April, a member of DarkSide spoke with a reporter from Databreaches.net, telling the site that they had studied Guess’ financial records and knew the company brought in nearly $2.7 billion in revenue last year. “We recommend using your insurance, which just covers this case. It will bring you four times more than you spend on acquiring such a valuable experience,” the DarkSide representative said in messages translated from Russian. “We act in stages and notify the press usually already when exactly sure that the company will not pay. As for [Guess and another company they named] — I think the press will see them.”DarkSide shut down its operations in May after their attack on Colonial Pipeline brought international condemnation and increased scrutiny from law enforcement. In its letter to victims, Guess said it only recently finished its investigation into the cybersecurity incident, which they said was “designed to encrypt files and disrupt business operations.”Their security team discovered the incident on February 19 but realized that cybercriminals were in their system until February 23. It took until May 26 for the company to confirm that the personal information of “certain individuals” was accessed or acquired by an unauthorized actor.The company waited until July 9 to begin sending out notification letters to those who were affected. As most companies do, Guess is offering the victims one year of credit monitoring and identity theft protection services from Experian. Guess also said it set up a call center for people with questions about the incident or those interested in enrolling in credit monitoring services.Erich Kron, security awareness advocate at KnowBe4, noted that this was an example of the long tail that ransomware attacks have. “Although the Darkside ransomware group is out of commission, that does not mean this breach is insignificant. The significant amount and very personal types of data being collected by the organization, including passport numbers, Social Security numbers, driver’s license numbers, financial account and/or credit/debit card numbers with security codes, passwords or PIN numbers, is an extremely valuable dataset for cyber criminals if they want to steal identities,” Kron said. “For this reason, unlike it appears in this case, organizations are wise to limit the amount of data kept and stored in systems.” More

The US Senate on Monday unanimously confirmed Jen Easterly as the new director of the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security. The agency, established in 2018, is responsible for the security, resiliency and reliability of the nation’s cybersecurity and communications infrastructure.

CISA has not had an official director since November, when then-President Donald Trump fired Chris Krebs, the agency’s first director, for debunking election fraud myths. Krebs’ deputy, Brandon Wales, took on the position on an interim basis, leaving CISA without a full-time leader amid the fallout from the SolarWinds hacks and a number of other state-sponsored attacks on government organizations. Easterly brings both corporate and military experience to the role. She most recently worked for Morgan Stanley as head of resilience. She also served as the Cyber Policy Lead for the Biden-Harris presidential transition team. Earlier, Easterly served at the White House as Special Assistant to the President and Senior Director for Counterterrorism and as the Deputy for Counterterrorism at the National Security Agency. She retired from the US Army after more than 20 years of service in intelligence and cyber operations and was responsible for standing up the Army’s first cyber battalion. Easterly was also instrumental in the design and creation of United States Cyber Command. She is a  two-time recipient of the Bronze Star.President Joe Biden nominated Easterly to lead the important agency in April, and Senate Democrats initially attempted to confirm her nomination in late June. However, her nomination was held up briefly by Republican Sen. Rick Scott of Florida as a means of bringing attention to the US-Mexico border. Scott said he would refuse to confirm any Department of Homeland Security nominees until Vice President Kamala Harris went to the border, which she did shortly thereafter.Amid the delay, ZDNet spoke with a number of experts about whether CISA should be spun off from the DHS. More

SolarWinds released updates for their Serv-U Managed File Transfer and Serv-U Secure FTP tools this weekend after they were notified of a vulnerability by Microsoft. In an advisory sent out on Friday and updated on Saturday, SolarWinds said Microsoft “reported to SolarWinds that they had discovered a remote code execution vulnerability in the SolarWinds Serv-U product.” SolarWinds added that the Serv-U Gateway is a component of the Serv-U Managed File Transfer and Serv-U Secure FTP tools and is not a separate product. The vulnerability can be found in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. Microsoft provided the company with a proof of concept of the exploit and said that at least one threat actor has already used it.  “A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system,” the advisory said.”Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability. SolarWinds is unaware of the identity of the potentially affected customers.” A hotfix — Serv-U version 15.2.3 hotfix (HF) 2 — has been developed and released. SolarWinds said customers of the product should log into their Customer Portals to access updates. 

For those who are not on active maintenance and currently using a Serv-U product, the company said it was offering customer service help. 

SolarWinds Updates

To check if you have been compromised through this vulnerability, SolarWinds listed a number of suggestions and questions administrators should ask. “Is your environment throwing exceptions? This attack is a Return Oriented Programming (ROP) attack. When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack,” SolarWinds said. “Please collect the DebugSocketlog.txt log file. In the log file DebugSocketlog.txt you may see an exception, such as: 07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5,” the company added, noting that exceptions “may be thrown for other reasons so please collect the logs to assist with determining your situation.”SolarWinds added that administrators should look for “connections via SSH from the following IP addresses, which have been reported as a potential indicator of attack by the threat actor: 98.176.196.89 68.235.178.32 or, look for connections via TCP 443 from the following IP address: 208.113.35.58.”SolarWinds vulnerabilities have been targeted repeatedly over the last year and the company drew headlines in December when Russian government hackers compromised their network and deployed malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst. In March, it was revealed that Chinese government hackers launched another attack on a SolarWinds server.  More