Eliana Willis

Iran’s railway service and network dissolved into what state media called “unprecedented chaos” due to an alleged cyberattack. 

As reported by Reuters, on Friday, the country’s train services experienced delays and cancellations as ticket offices struggled to cope with the attack. However, not only did the miscreants cause severe operational issues, but those behind the situation also trolled Iranian Supreme Leader Ayatollah Ali Khamenei, who has been in office since 1989.  IRIB reported that electronic boards used to display arrival and departure information to passengers at train stations were compromised. The boards asked travelers to call a number to reach a help desk for further information. However, the number actually belonged to the leader’s office. Iranian officials from the Ministry of Road and Urban Development confirmed the attack on Saturday.  “Following a disruption in the staff computer systems in the headquarters of the Ministry of Road and Urban Development, the issue is under investigation by technical experts of the ministry,” the organization said. The rail service’s website now appears to be fully operational. 

In April, the UK’s Merseyrail network was subject to a cyberattack conducted by the Lockbit ransomware group. It appears that an Office 365 email account used by the company was compromised — and was also used to inform employees and journalists of the attack.  The UK Information Commissioner’s Office (ICO) was informed of the incident.  Back in 2018, Rail Europe experienced a three-month-long cyberattack leading to the theft of customer payment card data and personal information. Threat actors were able to install credit card-skimming malware on the network’s website.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A security expert has launched a site to keep a publicly trackable record of bitcoin payments to key ransomware gangs, such as REvil.  The ransomwhe.re site has been created by Jack Cable, a security researcher who works with the Krebs Stamos Group cyber consultancy and the US Defense Digital Service. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The Ransomwhere site is an open, crowdsourced ransomware payment tracker, offering a breakdown of victim payments in bitcoin to wallets linked to a dozen major ransomware variants. The payment figures can be broken down by ‘all time’, this year, this month, and this week.  SEE: Network security policy (TechRepublic Premium) Ransomware attacks are on the rise and now the subject of debate between world leaders after attacks on Colonial Pipeline, meat processor JBS, and last week’s attack against enterprise software management firm Kaseya, which saw REvil ransomware spread to dozens of managed service providers and over 1,000 of their customers.   Across all time, the Mailto/Netwalker ransomware leads the ransomware pack, but – isolating payments to this year – the REvil/Sadinokibi – which was behind the JBS and Kaseya attacks – is the leader with $11.3 million payments received.  REvil’s total for 2021 could rise significantly if it receives the $70 million it demanded last week in the Kaseya attack. 

Cable joined the US Cybersecurity and Infrastructure Security Agency under then CISA director Chris Krebs to help secure election systems ahead of the US 2020 presidential elections. Cable explained his motives for building the site in a thread on Twitter, noting the data about victim payments can change the response to ransomware.  “Today, there’s no comprehensive public data on the total number of ransomware payments. Without such data, we can’t know the full impact of ransomware, and whether taking certain actions changes the picture,” he wrote.   “Ransomwhere aims to fill that gap by tracking bitcoin transactions associated with ransomware groups. It’s public, so anyone can view and download the data. And it’s crowdsourced, so anyone can submit reports of ransomware they’ve been infected with or otherwise observed.” SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief According to an FAQ on Ransomwhe.re, the Bitcoin’s transparency in payments makes it easy to track payments and receipt addresses.  The site calculates the US dollar value of bitcoin payments based on the exchange rate of the day a payment was made, so it’s an estimate of how much victims paid, but not how much ransomware gangs sold it for.  More

Kaseya has released its promised patch to resolve security flaws responsible for a ransomware attack. 

Kaseya attack

The software solutions provider, which counts managed service providers (MSPs) among its client base, was the subject of a ransomware outbreak on July 2. Kaseya said the threat group responsible, REvil, exploited unpatched vulnerabilities in the firm’s VSA remote monitoring software to trigger both bypass authentication and code execution, allowing them to deploy ransomware on customer endpoints.  It is estimated that between 800 and 1500 businesses have been impacted. REvil has demanded $70 million for a universal decryption key. Kaseya pulled its SaaS systems offline and urged customers to shut down their VSA servers when the first reports of cyberattacks came in. Initial attempts to relaunch SaaS servers were made and set for July 6, however, technical problems prompted a further delay. According to Kaseya, the decision was made by CEO Fred Voccola in order to give the company the time to bolster existing security mechanisms. On Sunday, the tech giant said that the rollout is underway and going “according to plan.”

In total, 95% of the company’s SaaS customers are now live, with servers “coming online for the rest of our customers in the coming hours.” On-premise clients now have access to the VSA patch, too, and support teams are working with organizations that need assistance in applying the security update.  The release notes for both VSA on-prem and SaaS deployments include fixes for three CVE-issued vulnerabilities: a credentials leak and business logic flaw (CVE-2021-30116), a cross-site scripting (XSS) bug (CVE-2021-30119), and a two-factor authentication bypass (CVE-2021-30120).  In addition, Kaseya has resolved a secure flag problem in User Portal session cookies, an API response process that could expose weak credentials to brute-force attacks, and an unauthorized file upload vulnerability impacting VSA servers.  Due to the speed necessary in deploying the patch, some VSA functionality has been disabled temporarily — including some API endpoints.  “Out of an abundance of caution, these API calls are being redesigned for the highest level of security,” Kaseya says. “Individual functions will be restored in later releases this year.” Kaseya has also temporarily removed the ability to download agent installer packages without authentication to VSA and the User Portal page. A number of legacy functions have been permanently removed. Clients will need to change their password once they have installed and logged in to the latest build. Kaseya has also provided VSA SaaS and on-premise hardening and best practice guides.Bloomberg reports that in the past, former employees sounded the alarm on cybersecurity worries including outdated code, weak encryption, and a lack of robust patching processes. However, the ex-staff members claimed their concerns were not fully addressed.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In the first six months of 2021, Australians lost over AU$7 million by letting scammers access their home computers — up 184% when compared to last year.The latest data from the ACCC’s Scamwatch reveals so far this year almost 6,500 Australians have reported phone calls from scammers trying to convince them to download software that gives access to home computers and their bank accounts. “Remote access scams are one of the largest growing scam types in Australia. Scammers take advantage of the digital world and the fear of fraud and cybercrime to access people’s devices and steal their money,” ACCC deputy chair Delia Rickard said.”These types of scams target and impact all people and can be convincing.”People aged 55 and over lost over AU$4.4 million, accounting for almost half of total losses. Young people reported losing on average AU$20,000 and eight Indigenous Australians, some in remote communities, lost a total of AU$38,000, across 84 reports.The ACCC said the scammers pretend to be from organisations such as Telstra, eBay, NBN Co, Amazon, banks, government organisations, police, and computer and IT support organisations. Telstra was impersonated 1,730 times, with reported losses of AU$1.95 million, followed by NBN Co with 1,023 reports and reported losses of AU477,980.

The scammer’s modus operandi is to create a sense of urgency to make victims provide access to their computers via remote access software. A common tactic used by the scammers, too, is to say the victim has been billed for a purchase they didn’t make, then convince the victim their device has been compromised, or account “hacked”, as a result.”The scammer will pretend to assist you or ask you to assist them to catch the scammer,” the ACCC cautioned. “They will tell you to download remote control software such as AnyDesk or TeamViewer.”Once the scammer has control of the device, they will ask the individual to log into applications such as emails, internet banking, or PayPal accounts, which is how they obtain the log-in credentials.”It is really important not to let anyone who contacts you out of the blue access your devices, as once you give them access, you have no way of knowing what the person will do to your computer or what programs they may install,” Rickard added.”If you receive contact from someone claiming to be from a telecommunications company, a technical support service provider or online marketplace, hang up. If you think the communication may have been legitimate, independently source the contact details for the organisation to contact them. Don’t use the contact details in the communication.””Also, don’t click on any of the links.”Australians in 2020 lost a total of AU$8.4 million to remote access scams.RELATED COVERAGEAustralians spent AU$26.5m in cryptocurrency to pay scammers in 2020The total number of scams received by the ACCC’s Scamwatch during the 2020 calendar year was 216,087, with a total of AU$156 million lost.Australian telcos have blocked over 55 million scam calls since DecemberLess than four months since the scam call blocking code was registered, millions of calls have been stopped in Australia.Automating scam call blocking sees Telstra prevent up to 500,000 calls a dayTelco reaches the third part of its Cleaner Pipes program. More

Ransomware reflects the complexities and limitations of the web. It’s worth remembering those limitations as we rely ever more on computer systems that often have pretty shallow foundations when it comes to security and reliability.For example, much of the web has been built on trust, with security very much an after-thought. There’s always been hacking, of course, but the difficulty of making it pay meant that, apart from state-sponsored attacks and industrial espionage, the impact was quite limited.But the rise of cryptocurrency, which enables hard-to-track payments, plus the general insecurity of many computer systems, and our total reliance on them, has created the perfect ransomware storm that now engulfs so many companies.Fixing this problem is not easy. The US administration may now be threatening to take action against ransomware gangs, but because many of them operate from Russia, that’s going to be tough.True, the US could try to break the infrastructure that the gangs use, but that’s not without its problems. For a start, these gangs don’t have huge infrastructure to attack, and what they do have is easily replaced. Then there’s the risk of accidentally disrupting the systems of an innocent organisation in a foreign country, which — particularly when you’re dealing with Russia — is a good way to raise international tensions.Most likely the US could try to put a tight financial squeeze on ransomware gangs — something it has already done by seizing some of the bitcoins sent to them. These gangs are entirely motivated by money, so taking away the ability to receive ransoms or spend their ill-gotten gains is likely to be the most effective way of curtailing their activities. Banning the payment of ransoms might have some impact, but it would also force some unlucky firms out of business if their data was locked up forever.The ransomware era will probably come to an end at some point, most likely to be replaced with another security worry. Indeed, the rise of supply chain security flaws, which are currently being exploited to spread ransomware, is at least as big a problem.

But the ransomware problem also serves as a reminder: we are increasingly reliant on the web, and the internet beneath it. And much of that infrastructure is creaking, or held in place by obscure but fragile systems or pieces of code. So even after ransomware is long forgotten, the security worries won’t go away.ZDNET’S MONDAY MORNING OPENER The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America. PREVIOUSLY ON MONDAY MORNING OPENER: More

How hard is it to keep your iPhone — and the data that’s on it — safe from hackers and other bad folks out there? Not hard at all. While there’s no doubt that security is a massive subject, and you could devote your life to it, it’s not hard to get to a point where your iPhone is more secure than 99 percent of other iPhones out there.Here’s now.Must read: The best browser to replace Google Chrome on Windows, Mac, iPhone, and Android#1: UpdatesMake sure that your iOS is up to date. This is your primary line of defense against vulnerabilities. I know, I know, there are a lot of them, but that’s the world we live in these days.It’s also a good idea to keep your apps updated too, but that’s secondary to keeping iOS updated.

Personally, given the number of bugfixes in recent iOS releases, I don’t wait to install them. Sure, there might be bugs like battery issues and such that creep in to iOS releases, but these are, as far as I’m concerned, less of a problem.
#2: Strong passcodeIf you’re still rolling with 000000 or 123456 or something dumb like that, change it. Do it now.While web-based attacks do happen, the most likely way that your data is going to leak from your iPhone is by someone picking it up and unlocking it.#3: Reboot weeklyMost iPhone vulnerabilities rely on jailbreaking the iPhone. The good news is that a jailbreak can’t survive a reboot, so adding a weekly reboot to your schedule is no bad thing. Not only does it protect you from badness from getting onto your iPhone but it’ll also speed things up a bit by clearing the RAM.Want more? Check out my iPhone Security Checklist, which goes into much greater detail about settings and features you can tweak to make your iPhone more secure. More

Colorado has joined California and Virginia in passing a comprehensive data privacy law that forces companies to make wholesale changes to how they handle people’s sensitive information online.The Colorado Privacy Act, which was signed into law on July 7 by Governor Jared Polis, gives consumers the right to ask companies not to sell their personal information while also giving them access to any data companies have about them. Consumers can also ask companies to delete their data, and the law forces enterprises to ask for consent to hold certain sensitive information like Social Security Numbers, drivers license numbers and more. While some states have passed narrower laws focused on specific data collection and sale practices, Colorado is considered among experts to be the third state after California and Virginia to pass a commercial privacy law. In addition to the rights it gives consumers, the act also forces companies to respect opt-out requests submitted on behalf of consumers. The law applies to companies that collect personal data from 100 000 Colorado residents or collect data from 25 000 Colorado residents and derive some revenue from sales.The law, which takes effect in July 2023, was hailed by experts as a step forward for data privacy in the US, even though many had concerns about a number of loopholes in the bill that companies are already taking advantage of with California’s more comprehensive law. Charles Farina, head of innovation at Adswerve, said it was concerning that the bill did not have a private right to action and noted all of the exemptions — particularly for non-profits. “The CPA includes greater fines per violation, but without an overarching federal privacy law, there remain loopholes for gathering first-party data and continued doubt from consumers about the safety of their data,” Farina said. 

“Legislation like CPA is a step in the right direction, but signals that there is still more work to be done to ensure a transparent exchange of data between consumers and businesses.” Consumer Reports senior policy analyst Maureen Mahoney said the law would need to be strengthened down the road.Consumer Reports noted that the advertising industry has already used bad-faith interpretations of California’s more stringent regulations to claim “that the opt-out doesn’t apply to data shared with third parties for targeted advertising.”They added that the Colorado law should have had a provision making sure that consumers will not be charged for exercising their privacy rights.Tyrone Jeffrees, the US information security officer at Mobiquity, added that the law is expected to be more effective than others because it can be enforced by both the Colorado office of the Attorney General as well as local district attorney offices. “The CPA goes beyond California’s by requiring a blocking option for consumers to ‘opt-out’ of having their personal information shared to create consumer profiles. To ensure compliance with the CPA’s heavier guidelines, businesses and organizations must have a deeper understanding of how their data is collected and exactly what it is being used for when targeting new customers and sharing publicly,” Jeffrees explained. “I’m thrilled for the residents of Colorado. Ultimately, each new legislation is a win for US consumers and privacy advocates. As businesses start to comply with the law, consumers can expect to see more pop-up notifications on websites disclosing how information is being collected and how that information is used. These disclosures are ubiquitous in Europe and will start to increase across the digital landscape in the US as new privacy regulations come onboard. The good news for consumers is that many of the common privacy rights afforded to EU and California residents will become part of the standard way of engaging with businesses in the US going forward.”Dan Clarke, a data privacy law expert, working with lawmakers in multiple states on their own laws, said the Colorado law resembled the Virginia law and California’s CPRA more than the state’s CCPA. “It aligns a little better with GDPR as well. There are two things that I think are pretty big about the law. Number one is the requirement to respect the universal opt-out. Until July 1st, 2023, the attorney general has to provide the technical specifications for that opt-out, and then everybody gets a year actually to abide by it. This is a significant development because now you’ve got a requirement to abide by what can just be programmed into a browser as a default setting,” Clarke explained. 

“It can be programmed into your mobile phone as the default setting, and you have to abide by it. I think that will accelerate the industry’s adoption and understanding of these universal opt-out signals.”Clarke added that the other major development in the law is the demand for “privacy impact assessments, ” forcing companies to assess what kind of data they collect and have. “If you’re releasing a new product, or for example, did a kiosk to take people’s temperatures during COVID-19, you have to assess what kind of data you have. How are you using that data? How are you securing it? How long are you going to retain it? What’s the risk of it?” Clarke said.That is a feature of the GDPR and was included in the Virginia law but is largely invalidated due to a bevvy of exemptions. There are almost no exemptions in Colorado’s law, meaning companies will have to do impact assessments for any project that collects personal data, Clarke told ZDNet. New assessments will also need to be done if there are any changes to policies, vendors or staff. Clarke added that there is a one-year lookback period, so data collected at the end of this year will be within scope. Another key provision is the right to appeal, which Clarke said is unique among the world’s data privacy laws. According to Clarke, only the Virginia and Colorado laws allow consumers to appeal a company’s decision to refuse your request for your data to be deleted. If a company refuses to delete your data, you can appeal the decision, and another arm of the company has to look at the decision. Clarke said any organization complying with California’s CCPA and CPRA would be prepared for Colorado’s law for companies worried about complying with the laws. Clarke said the biggest issue for those who were not affected by California’s laws would be preparing to handle sensitive data like financial information.”With sensitive data, you have actually to ask for permission. So you have to say, ‘I want to opt into allowing you to use it and, in some cases, sell it,” Clarke said.Clarke predicted that New York, Texas and Florida might be the next states to pass data privacy laws, noting that the length of some states’ legislative sessions is part of what makes it difficult to pass these kinds of laws. Some states that looked likely to pass their own data privacy laws, like Washington, simply ran out of time because of how controversial the law became locally. “An important thing about the Colorado law is just the fact that another state piled on. It’s kind of surprising that you’ve got another state that has piled on so quickly, and I honestly think that’s the biggest news out of this whole story,” Clarke said.”You’ve got to deal with another state.” More