Eliana Willis

Google is outlining new security standards for its Nest smart home devices and updating its privacy commitments as part of an effort to make its positions on both privacy and security more straightforward for Nest users. 

Google said its new Nest security practices include adopting standards Google has long held as well as implementing new updates that are specific to Nest’s connected home devices and services. Specifically, Google will begin certifying Nest devices sold in 2019 or later using an independent security standard, including those developed by the Internet of Secure Things Alliance (ioXt). The company will also publish the validation results that explain how its products hold up to those standards, and will assess new products against the standards prior to launch. Meanwhile, Google said Nest will now participate in the Google vulnerability rewards program, which pays outside security researchers for finding vulnerabilities and reporting them to the Nest Security team. Google has also committed to patching critical issues known to Google Nest, promising automatic bug and security fix support for a minimum of 5 years.Nest devices will also be added to the Google device activity page to give users visibility into which devices are connected to their account. It’s worth noting that Nest users have already had access to these security protections, providing they coupled their devices with an active Google account. In terms of privacy, Google said it has updated a section in its privacy commitments to better reflect its focus on openness. Nest product manager Ryan Campbell said in a blog post:Two years ago Nest shared our commitments to privacy to give you a better understanding of how our products work in your home. Today, we’re publishing new security commitments and putting it all in one place: Nest’s new Safety Center. The Safety Center is meant to give you a clear picture of the work we do each day to build trustworthy products and create a safer and more helpful home.Finally, we want to acknowledge the way this technology is evolving — for example, our recent announcements on Matter and our work on Project Connected Home over IP ). That’s why we’ve updated a small section in our privacy commitments to better reflect our focus on openness.

Google’s latest security updates to the Nest product family builds on changes made by Google to try and bolster the security posture of its products. In February 2020, Google rolled out two-factor authentication (2FA) to Nest devices, and prior to that, reCAPTCHA Enterprise was integrated with Nest accounts to mitigate the risk of credential stuffing attacks.RELATED: More

A new survey from cybersecurity company Armis found that awareness of major cybersecurity incidents in the US is lacking.Last month, the company surveyed more than 2,000 professionals, discovering that almost 25% had never heard about the ransomware attack on Colonial Pipeline that caused gas shortages along the East Coast. More than 23% said the attack would not have any longstanding effects on the fuel industry in the US, despite the highly-publicized cybersecurity changes oil and gas companies were forced to make by the Biden Administration following the attack. Nearly half of respondents had not heard about the malicious takeover of the water treatment plant in Oldsmar, Florida.More than half of all respondents said their devices did not pose a cybersecurity risk when it came to personal cybersecurity. Over 70% said they expected to bring their devices from home into the office once COVID-19 restrictions were lifted. Curtis Simpson, CISO at Armis, said the responses showed that organizations have to prioritize cybersecurity on their own because employees have little awareness of the cyber threat landscape. “The attacks on our critical infrastructure are clear evidence of the need for cybersecurity and assurance to all our utility providers and players. Organizations must be able to know what they have, track behavior, identify threats, and immediately take action to protect the safety and security of their operation,” Simpson said. 

“This data shows that there is less consumer attention on these attacks as we might expect, and so that responsibility falls to businesses to shore up their defenses.”A bipartisan group of US House of Representatives members introduced the American Cybersecurity Literacy Act last week in an effort to improve the country’s understanding of cybersecurity and kickstart public awareness campaigns. Rep. Adam Kinzinger, one of the leading voices behind the bill, noted on Twitter that a cyberattack occurs every 39 seconds and that since the pandemic started, cybercrime has increased drastically. “We must protect ourselves and our interests — and it starts with cyber education. As technological advancements increase and become more complex, it is critical that everyone is aware of the risks posed by cyberattacks and how to mitigate those risks for personal security,” Kinzinger said. “In order to prevent these attacks going forward, we must combine public awareness with targeted cyber education.”Rep. Gus Bilirakis, the Congressman for Oldsmar, Florida, added that the bill would help “develop a national education campaign to raise awareness of attacks and the practical steps that can be taken to thwart future bad actors.” “In my district, a hacker was recently able to penetrate a local government’s security measures and temporarily change the chemical settings of the city’s water supply to a potentially dangerous level,” Bilirakis said. “This is a matter of national security, and we must do everything we can to protect all Americans from those who wish to do us harm.”

more coverage More

IBM has contributed the Kestrel threat analysis language to the Open Cybersecurity Alliance (OCA). 

On Tuesday, the tech giant said that Kestrel helps Security Operations Center (SOC) analysts and other professionals in the industry “streamline threat discovery,” allowing experts to more quickly tackle cyberforensics investigations, breaches, and other incidents. Kestrel made its debut this year at the RSA Conference. The open source programming language, developed jointly between IBM Research and IBM Security, is based on experiments performed via DARPA’s Transparent Computing initiative. Kestrel is used to compose ‘hunt’ flows for threats, including known patterns, sources, analytics, and applying detection logic to create a process for cybersecurity professionals to leave repetitive jobs in the hands of automation and instead focus on other tasks which require the intuition and skill of human staff.  Normally, proactive threat hunting to protect an organization’s networks takes a lot of human hours and skill, but as it requires hypotheses and likely sources for attack to be created alongside detection procedures, the vendor believes that cybersecurity staff often end up “rewriting the same programs following each attack.” This is where Kestrel comes in. 
IBM
“Kestrel threat hunting language provides an abstraction for threat hunters to focus on what to hunt instead of how to hunt,” IBM says. “The composable hunting flows enable the reuse of best practices and help reduce the time to create new hunts.”

The project is open source, and now accepted by the OCA — of which members include Cybereason, McAfee, IBM Security, and Tenable — it is hoped that the language will further the alliance’s promotion of interoperable cybersecurity products.  “Instead of dissecting indicators of compromise we will be dissecting playbooks of entire hunt logic and across data sources,” commented Sheldon Shaw, VP of Innovation & Infrastructure at CyberNB. “As adoption of the language continues to roll out, our collective hunt teams will be able to collaborate and approach cyber investigations differently.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ireland’s Health Service Executive (HSE) has been praised for its response after falling victim to a major ransomware attack and for not giving into cyber criminals and paying a ransom. HSE was hit with Conti ransomware in May, significantly impacting frontline health services. The attackers initially demanded a ransom of $20 million in bitcoin for the decryption key to restore the network.

While the gang eventually handed over a decryption key without receiving a ransom, they still published stolen patient data – a common technique by ransomware attackers, designed to pressure victims into paying. SEE: Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens next HSE’s decision not to pay the ransom has been praised by the head of the UK’s National Cyber Security Centre (NCSC), Lindy Cameron, especially as the attack had “crossed a line” by disrupting hospital appointments and health services across Ireland. “I would like to praise the Irish response not to pay the ransom. Cyber criminals are out to make money – the more times a method is successful, the more times it will be used,” she said in a speech to the Institute of International and European Affairs (IIEA), an Irish think tank. The HSE ransomware attack happened around the same time as two other high-profile incidents – the Colonial Pipeline ransomware attack and the JBS ransomware attack. Unlike HSE, both of these organisations paid cyber criminals millions of dollars in bitcoin in exchange for the decryption key.

Colonial and JBS are far from alone in paying ransoms. But many in law enforcement argue that paying the ransom perpetuates the problem, and provides gangs with resources to launch even more ambitious attacks against other targets. There’s also no certainty that paying the ransom will even solve the problem, because it involves trusting that criminals will hold up their end of the bargain – they could easily just take the money and run, or return with an additional ransomware attack. “Payment of ransoms is no guarantee that you will get your data back – and certainly no guarantee you won’t be attacked again – in fact, advertising a willingness to pay makes someone a more interesting prospect,” said Cameron.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“So it’s important that we do all we can to ensure this is not a criminal model that yields returns. The government’s strong action of refusing to pay will likely deter ransomware operators from further attacks on health sector organisations – in Ireland or elsewhere,” she added. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Despite receiving the decryption key, restoring the network has been a long and arduous process for HSE and disruption to health services across Ireland is expected for months to come. The NCSC has been helping Ireland’s defence forces in the aftermath of the incident, using experience from the WannaCry ransomware attack, which disrupted NHS networks across England. “As you would expect from a close partner, we did all we could to support our partners in Ireland when the HSE attack took place. This included sharing as much relevant information as we could – both from a cybercrime and a law enforcement perspective,” said Cameron. “The global nature of the cyber threat means that our international partnerships are critical to countering and deterring malicious cyber actors who want to cause harm to the UK,” she added.

MORE ON CYBERSECURITY More

A new ransomware strain that utilizes Golang highlights the programming language’s increasing adoption by threat actors. 

CrowdStrike secured a sample of a new ransomware variant, as of yet unnamed, that borrows features from HelloKitty/DeathRansom and FiveHands. These ransomware strains are thought to have been active since 2019 and have been linked to attacks against the maker of Cyberpunk 2077, CD Projekt Red (CDPR), as well as enterprise organizations.  The sample discovered reveals similar functions to HelloKitty and FiveHands, with components written in C++, as well as the way the malware encrypts files and accepts command-line arguments.  In addition, akin to FiveHands, the new malware makes use of an executable packer that requires a key value to decrypt its malicious payload into memory, including the use of the command-line switch “-key.”  “This method of using a memory-only dropper prevents security solutions from detecting the final payload without the unique key used to execute the packer,” CrowdStrike says.  However, unlike HelloKitty and FiveHands, this new ransomware strain has adopted a packer written in Go that encrypts its C++ ransomware payload. 

According to Intezer, malware utilizing Go was a rare occurrence before 2019, but now, the programming language is a popular option due to the ease of compiling code quickly for multiple platforms and its difficulty to reverse-engineer. Sample rates have increased by approximately 2,000% in the past few years. CrowdStrike’s sample uses the most recent version of Golang, v.1.16, which was released in February 2021.  “Although Golang-written malware and packers are not new, compiling it with the latest Golang makes it challenging to debug for malware researchers,” CrowdStrike notes. “That’s because all necessary libraries are statically linked and included in the compiler binary, and the function name recovery is difficult.” In addition to the use of Go, the sample contains typical functions of ransomware — including the ability to encrypt files and disks, as well as issuing a demand for payment in return for a decryption key.  The ransom note directs victims to a Tor address for a direct chat session with the malware’s operators and also claims to have stolen over 1TB in personal data, which suggests the developers may be attempting ‘double extortion’: if a victim refuses to pay, they are threatened with the leak of their information.   Earlier this month, BlackBerry’s threat research team published a report on ChaChi, a Trojan written in Go that has been used to attack French government authorities, and more recently, the US education sector. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The federal government has thrown AU$8.2 million of its AU$70 million Cyber Security Skills Partnership Innovation Fund at eight projects, with the aim of improving the skills and availability of cybersecurity professionals in Australia.Round one sees La Trobe University walk away with AU$2.35 million to raise awareness to 80,000 high school students about cybersecurity skills and training opportunities. The program will also partner with major industry players to help small businesses grow their skills, the government said.An Australian Cyber Security Growth Network-led project to develop a cybersecurity traineeship program to support about 200 participants into a cybersecurity career also received an undisclosed amount of funding, as did a project led by CSIRO aimed at up-skilling early career researchers in cybersecurity innovation and providing 100 university students with work experience.A Central Regional TAFE-led project to improve the number and quality of cybersecurity trained professionals including women in regional and remote locations in Western Australia will take a slice of the funding, so will a TasTAFE-led project to establish a Cyber Innovation Training Hub that offers industry training. NSW Treasury is also receiving a slice of the funding to help with its project delivering a six-week cybersecurity work experience program with TAFE NSW and businesses for year 10 students.A project led by software firm RightCrowd that offers post-graduate training with Griffith University and commercial “on-the-job” internships was also a beneficiary of the round one kitty, as well as Grok Academy, which is partnering school, vocational, and university students with industry players to develop their cybersecurity skills.The Cyber Security Skills Partnership Innovation Fund was handed further funding as part of the 2021 federal Budget. In total, the Budget allocated AU$77.1 million into skills as part of the government’s new digital economy strategy, which it described as an investment into the settings, infrastructure, and incentives to grow Australia’s digital economy.

The AU$77.1 million will be shared by the “Digital Skills Cadetship Trial” to deliver work-based learning opportunities for in-demand digital jobs, with AU$10.7 million; AU$22.6 million for the “Next Generation Emerging Technology Graduates Program” that will provide more than 200 scholarships in emerging technologies; and AU$43.8 million for the expansion of its Cyber Security Skills Partnership Innovation Fund to fund additional innovative projects to quickly improve the quality and quantity of cybersecurity professionals in Australia.”We need a strong cybersecurity workforce in Australia to meet the increasing scale and sophistication of cyber threats” Minister for Home Affairs Karen Andrews said. “Projects funded under the Cyber Security Skills Partnership Innovation Fund will help grow our workforce to ensure a safe online environment for all Australians.”Elsewhere, cybersecurity services provider Willyama Services was awarded a multi-year contract with Defence worth AU$10.3 million. The contract is for cybersecurity specialist support to the Defence Industry Security Office (DISO). Running for an initial two years, with a further 24-month option, Willyama, which has its sights set on becoming the first 100% Aboriginal-owned IT company to list on the ASX, will provide ongoing cyber specialist support to deliver DISO cybersecurity assurance and audit activities.”This contract with Defence is significant for more than the financial value,” Willyama said. “The majority of the Indigenous and veteran staff Willyama engages come from ‘non-traditional’ employment backgrounds for engagement in the federal IT sector and require significant support, cross and upskilling, in order to be able to provide these services. “With two years guaranteed commercial support, we expect to significantly increase our investment in Indigenous and veteran staff to be able to provide more services to the federal sector in the future. “This contract is a lever to changing lives and we are excited by the opportunity to share this journey with Defence.”LATEST FROM CANBERRA More