Eliana Willis

Image: Mika Baumeister
Google has changed the information requirements for people with Play Store developer accounts, in an effort to validate whether developers are real. While it currently only asks for email address and phone number, Google will now ask whether the account is personal or for a business, a contact name, physical address, and verification of email and phone details. “Your contact information allows us to share important information and updates about your app. It also helps us make sure that every account is created by a real person with real contact details, which helps us keep the Play Store safe for all users,” Google said in a blog post. “This information will not be public-facing and is just to help us confirm your identity and communicate.” Google will also mandate that Google Play Console users use two-factor authentication. From today, developers can state whether their account is personal or for business, and verify contact details. While stating the account type is optional, it will be enforced if a developer wishes to update their contact details. New accounts will have the account type, contact information, and 2FA requirements enforced in August, while existing developers will face the requirements “later this year”.

In March, Google dropped the commission it takes for Play Store sales to 15% for the first $1 million. At the time, the company said 99% of its developers would see a halving in fees taken by Google. Related Coverage More

Ransomware is one of the biggest cybersecurity issues facing organisations today but as claims mount and cyber insurers look at the coverage they are offering, changes may be coming. Cyber insurance is designed to protect organisations against the fallout of cyber attacks, including covering the financial costs of dealing with incidents. But some critics argue that insurance encourages ransomware victims to simply pay the ransom demand which will then be covered by the insurers, rather than have adequate security to deter hackers in the first place. Insurers argue that it’s the customer that makes any decision to pay the ransom, not the insurer.  It isn’t illegal to pay cyber criminals a ransom demand but law enforcement agencies warn that doing so will give the gangs funds to launch more attacks. According to a research paper examining cyber insurance and the cybersecurity challenge by defence think tank Royal United Services Institute (RUSI), this practice isn’t just encouraging cyber criminals, it’s also not sustainable for the cyber insurance industry, which warns ransomware has become an existential threat for some insurers. “To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organisations’ cyber security practices,” RUSI said. And it warned: “Cyber insurers may be unintentionally facilitating the behaviour of cybercriminals by contributing to the growth of targeted ransomware operations.” Ransomware is one of the most significant cyber threats which organisations face today – as National Cyber Security Centre (NCSC) CEO Lindy Cameron recently said in a speech at RUSI – as attacks increase in complexity and cyber criminals demand larger ransoms. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Refusing to pay the ransom can lead to months of downtime and the huge costs for organisations that attempt to restore their network from scratch – and according to RUSI, some ransomware victims and their insurers will pay the ransom because they see it as the lowest cost option for restoring networks. “There are widespread concerns that insurers are fuelling ransomware attacks by paying ransom demands. Paying ransoms is not currently illegal, and it is often cheaper to pay off extortionists than it is to rebuild IT infrastructure or cover losses from business interruption,” says the paper. Some ransomware gangs are even actively seeking to target victims with cyber security policies, because they believe that’s the best way to guarantee they’ll make money from encryption campaigns. However, according to the RUSI report, cyber insurance can actually play a role in actively disrupting the ransomware business model, by encouraging policy holders to improve their defences in order to do as much as possible to prevent them from falling victim to a ransomware attack in the first place. The paper suggests that insurance should require ‘minimum ransomware controls’ as part of any ransomware coverage. These controls include timely patching of critical vulnerabilities in external-facing IT structure, enabling multi-factor authentication on remote access services, limiting lateral movement by adopting network segmentation and implementing procedures to ensure regular backups are created.  And theres is some evidence that change is coming. According to a recent story in the Financial Times, insurers are already increasing premiums and putting in place stricter demand in terms of the cybersecurity strategies used by companies that want to buy cyber insurance. The Washington Post has also reported that insurers are demanding great security and cutting back the amounts of cover they are willing to offer. All of these recommendations could prevent a ransomware attack from happening in the first place, or mitigate the damage a ransomware attack could do – meaning that in the event of falling victim to a ransomware attack, paying the ransom would be an absolute last resort, rather than being signed off as the simplest thing to do. It would also reduce risks for the cyber insurance industry going forward, reducing the need for insurance firms to support pay outs of millions for decryption keys following a ransomware attack.”The impact of ransomware on the cyber insurance industry emphasises the need to address some of these issues and questions sooner rather than later. As some insurers risk being overwhelmed by losses, the industry and governments need to react quickly to ensure adequate protection and coverage for businesses,” the researchers said. However, at least right now, the availability of cyberinsurance doesn’t seem to be helping improve cybersecurity. “Interviewees from across government, industry and business consistently stated that the positive effects of cyber insurance on cyber security have yet to fully materialise,” the report said, adding: “Most of the market has used neither carrots (financial incentives) nor sticks (security obligations) to improve the cyber security practices of policyholders.”

MORE ON CYBERSECURITY More

Gaming giant Electronic Arts is facing even more criticism from the cybersecurity industry after ignoring warnings from cybersecurity researchers in December 2020 that multiple vulnerabilities left the company severely exposed to hackers. 

Officials from Israeli cybersecurity firm Cyberpion approached EA late last year to inform them of multiple domains that could be subject to takeovers as well as misconfigured and potentially unknown assets alongside domains with misconfigured DNS records.  But even after sending EA a detailed document about the problems and a proof of concept, Cyberpion co-founder Ori Engelberg told ZDNet that EA did nothing to address the issues.  Engelberg said EA responded with an acknowledgment of receiving the information on these vulnerabilities and said they would contact Cyberpion if they had any additional questions. But they never did.  “We inspect the entire internet but as gamers, we are customers of EA. So many of our employees play FIFA and other games. We love EA so we wanted to contact them to help because their online presence is significant,” Engelberg said.  “What we found is the ability to take over assets of EA. It is more than just taking the assets of EA, it is about what can be done with these assets because we know EA. We know that if somebody can send emails from the domains of EA to us, the customers, or to suppliers of EA or to employees of EA, then that’s the easiest door to the company. It isn’t even a door. It is something simpler.”  He explained that, by using the stolen domains, malicious actors could send emails purporting to be from EA and ask people to send account information or other data. EA was already facing backlash last week after it was revealed that a “chain of vulnerabilities” could have allowed attackers to gain access to personal information and take control of accounts.

In recent weeks, Motherboard reported that the massive data breach EA suffered was due to a hackers’ ability to abuse Slack privileges to gain access to an account.  Hackers on forums boasted about stealing 780 GB of data from the company and gaining full access to FIFA 21 matchmaking servers, FIFA 22 API keys, and some software development kits for Microsoft Xbox and Sony. They also purport to have much more, including the source code and debugging tools for Frostbite, which powers EA’s most popular games like Battlefield, FIFA, and Madden. But before the breach through Slack, Engelberg and his team had repeatedly warned EA that at least six — now more than 10 according to Engelberg — vulnerabilities left multiple domains and other assets free for the taking.  Domains like occo.ea.com were vulnerable to takeover and the Cyberpion team found 15 EA sites — like wwe-forums.ea.com, api.pogo.com, and api.alphe.pogo.com — serving login pages over HTTP.  Stats.ea-europe.com serves a mismatched certificate and its DNS record points to an IP address of a non-EA site while easportsfootball.it as well as easoweb01.ea.com serve certificates that expired seven and nine years ago, respectively. Cyberpion researchers discovered that the SOA record of ea-europe.com refers to an authoritative name server that has a private IP address. A local DNS server on this address can return whatever address its operator decides for eaeurope.com.  They also identified over 500 DNS misconfigurations across EA’s domains. Engelberg noted that he has seen dozens of examples of hackers taking over the domain of an organization and sending emails from that domain to suppliers as a way to spread an attack.   “Suppliers are even more vulnerable than employees and customers because it is very common for them to get emails from people inside the customer organization that they don’t know,” Engelberg explained.  “This is something that is very easy to abuse because somebody can take over an external infrastructure through which it is possible now to send emails, to issue a valid certificate, to operate a site that looks just like the login of EA. It is EA’s certificate, it is EA’s domain. It was also possible to send and read emails from the domains.” Engelberg said he simulated an attack for EA in December but the company never addressed the issue, allowing it to worsen as more assets became vulnerable to takeover.  While Engelberg said he was not surprised EA got hacked through Slack earlier this month, he did sympathize with their plight, noting that the company’s security team probably has hundreds of action items to handle.  The issues caught by Cyberpion also involve EA’s supply chain, making them more difficult to solve, Engelberg added.  “In most cases, it is about being connected to some infrastructure which is not controlled by your organization. The basic thing that could be done is to cut the connection. Even before you understand who owns or created these,” he said.  “Just shut down the asset. You have an asset. It could be taken over, so shut it down. Delete all the DNS records and just make sure it is no longer active.”  Vulnerabilities like the ones found by Cyberpion are common across the internet and Engelberg explained that his team has found dozens of Fortune 500 companies with similar issues.  But according to Akamai’s new report Gaming in a Pandemic, this issue is big within the gaming industry. Web application attacks targeting the video game industry grew by 340% in 2020, a higher rate than any other sector during the COVID-19 pandemic. “It is basically a matter of external attack surface management. In the end, enterprises do not know about their entire perimeter. They are distributedly managed. Somebody can create an asset and it will not be done via the IT or the security teams,” Engelberg said.  “Even assets that are known to the security team may have changes they don’t know about. If the hackers can achieve what they want without penetrating the organization but by hacking a third, fourth, or fifth party that you are connected to, why not? You have no visibility over the attack and you will find your data in the dark web three years from now.”  K2 Cyber Security co-founder Jayant Shukla agreed with Cyberpion’s take on the issues and said most of the vulnerabilities stem from not keeping configurations up to date or removing subdomains when they’re no longer needed.   Shukla noted that while non-valid certificates are a legitimate issue and will prevent security-conscious users from not visiting the site, it does not give attackers control over the domain. But the issue of DNS records is crucial for any company, Shukla told ZDNet.   “In the end, none of these vulnerabilities appeared to threaten customer-facing interactions but decommissioning unused subdomains and keeping certificates up to date will go a long way to ensuring network operations are secure,” Shukla said.  Shukla also questioned why EA released control over the occo.ea.com subdomain, speculating that it was not used often by EA.  “The process of commissioning a subdomain is followed by everyone, but that does not happen when the subdomain is decommissioned. This is what the creators of the report seem to have exposed,” Shukla added. EA said it would have a full response when contacted for comment by ZDNet but never returned calls or emails after that. Cyberpion’s system found that EA fixed 7 of the critical issues in their assets over the last 48 hours after they were reached for comment.  More

Western Digital is urging legacy My Book owners to unplug their devices from the internet without delay following a series of remote attacks.

In an advisory published June 24, the hardware vendor said that My Book Live and My Book Live Duo network-attached storage (NAS) devices are being remotely wiped through factory resets, leaving users at risk of losing all of their stored data. “Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said. “In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.” It appears that the vulnerability being exploited is CVE-2018-18472, a root remote command execution (RCE) bug that has earned a CVSS severity rating of 9.8.  With attackers able to remotely operate as root, they can trigger resets and wipe all of the content on these portable storage devices, which made their debut in 2010 and received their final firmware update in 2015. When products become end-of-life, they are generally not entitled to new security updates.  As first reported by Bleeping Computer, forum users began querying the sudden loss of their data on June 24 via both the WD forum and Reddit. One forum user deemed themselves “totally screwed” due to the deletion of their information.  “I am willing to part with my life savings to get my doctoral thesis data, newborn pictures of my children and dead relatives, travel blogs I wrote and never published and all my last 7 months of contract work,” another user commented. “I am so scared to even think about what this is going to do for my career having lost all my project data and documentation..”

At the time of writing, forum users are trading potential recovery methods and ideas with varying degrees of success.  “We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access,” Western Digital says.  The log files, so far, show that My Book Live devices are being struck worldwide through direct online connections or port forwarding. WizCase has previously published proof-of-concept (PoC) code for the vulnerability. In some cases, the attackers are also installing a Trojan, of which a sample has been uploaded to VirusTotal. My Book Live devices are thought to be the only products involved in this widespread attack. WD cloud services, firmware update systems, and customer information is not believed to have been compromised.  Western Digital is urging customers to pull their devices from the internet as quickly as possible.  “We understand that our customers’ data is very important,” Western Digital says. “We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further.” The company is also investigating potential recovery options for impacted customers.  ZDNet has reached out to Western Digital with additional queries and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over half a million dollars has been issued as rewards for researchers participating in GitHub’s bug bounty program over the past year, bringing total payouts to over $1.5 million. 

The Microsoft-owned vendor has operated the GitHub Security Bug Bounty Program for seven years. Bug bounty programs are now a common way for vendors to elicit help from third-party researchers in securing products and services. Years past, it was sometimes difficult to privately disclose bugs and many companies did not have a dedicated contact or portal for vulnerability reports — but now, both credit and financial rewards are often on offer.  The vendor says that 2020 “was the busiest year yet” for GitHub’s program. “From February 2020 to February 2021, we handled a higher volume of submissions than any previous year,” GitHub says.  In total, 1,066 bug reports were submitted across GitHub’s public and private program — the latter of which is focused on beta and pre-release products — over the year, and $524,250 was awarded for 203 vulnerabilities. Since 2016, the time when GitHub launched its public program on HackerOne, rewards have now reached $1,552,004. The scope of GitHub’s program includes numerous GitHub-owned domains and targets such as the GitHub API, Actions, Pages, and Gist. Critical issues, including code execution, SQL attacks, and login bypass tactics, can earn researchers up to $30,000 per report. 

GitHub also operates under the Safe Harbor principle, in which bug bounty hunters who adhere to responsible disclosure policies are protected from any potential legal ramifications of their research.  The company says that over the past year, a universal open redirect submission has become its “favorite” bug. William Bowling was able to develop an exploit that leveraged request handlers to trigger an open redirect and also compromise Gist user OAuth flows.  The report earned Bowling a $10,000 reward.  GitHub also became a CVE Number Authority (CNA) in 2020 and has begun issuing CVEs for vulnerabilities in GitHub Enterprise Server.  In related GitHub news, earlier this month the organization updated its policies on sharing software and code which can not only be used to conduct security research but also could be adopted by attackers.  GitHub updated its terms to strip out “overly broad” language used to describe “dual-use” software, including tools such as Mimikatz, to “explicitly permit” sharing and remove the risk of any accusation of hostility toward genuine threat and cybersecurity research.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A former UK Ministry of Defence (MoD) employee has been jailed for 16 months after being found guilty of storing and sharing child pornography. 

The UK’s National Crime Agency (NCA) said that Bristol resident Phillip Nutt appeared in front of a judge at Bristol Crown Court on June 24. Nutt had previously pleaded guilty to possessing, making, and distributing indecent images. According to the NCA, Nutt was a formed MoD employee who “used his IT skills to source and download child abuse images on the Dark Web.” Nutt was arrested by the NCA at his holiday home in Cornwall in 2020. During the raid, the police discovered close to 300 images and videos on his personal phone and computers.  However, the 53-year-old managed a far more extensive collection stored in overseas and cloud-based accounts.  With the assistance of international law enforcement agencies, the NCA discovered 445 online folders containing 18,641 files, including indecent images and “hundreds” of child pornography videos. Some of the videos documented abuse lasted for up to two hours.  The former MoD employee disguised his mobile collection in a lockbox app disguised as a calculator. However, he also frequented a forum in the Dark Web where he discussed his activities, dubbed the “PedoPub.”

“I have everything secured and no one can see unless I leave it unlocked by accident,” Nutt told a fellow chat room user. “I have a false camera storage as well so if someone asks to see my photos it shows normal people photos. The good ones are hidden.” Nutt also vented his frustration at the UK’s lockdown policies, which at its peaks have kept children except those of key workers or the vulnerable, from going to school physically — therefore restricting his access to children.  “The conviction of Nutt serves as a warning to all — that we will work with partners across the globe to safeguard children and bring offenders before the court,” commented Derek Evans, NCA Senior Investigating Officer. “For as long as the demand for this material remains in depraved people like Nutt, it will continue to be supplied. This investigation has broken part of that cycle and the NCA has succeeded in disrupting someone who posed a significant threat to children.” ZDNet has reached out to the MoD for comment and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images/iStockphoto
The Russian-backed group, Nobelium, that gained notoriety for the SolarWinds supply chain hack — an attack that saw a backdoor planted in thousands of organisations before cherrypicking nine US federal agencies and about 100 US companies to actually compromise and steal information from — has now hit Microsoft itself. In an update on Friday, Microsoft said it found “information-stealing malware” on the machine of one of its support agents that had access to “basic account information for a small number of our customers”. “The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device,” the company said. “The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust ‘least privileged access’ approach to customer information. We are notifying all impacted customers and are supporting them to ensure their accounts remain secure.” Microsoft recommended using multi-factor authentication and zero trust architectures to help protect environments. Redmond recently warned that Nobelium was conducting a phishing campaign impersonating USAID after it managed to take control of a USAID account on the email marketing platform Constant Contact. The phishing campaign targeted around 3,000 accounts linked to government agencies, think tanks, consultants, and non-governmental organisations, Microsoft said.

In its Friday update, Microsoft said it has continued to see “password spray and brute-force attacks”. “This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised — we are aware of three compromised entities to date,” it said. “All customers that were compromised or targeted are being contacted through our nation-state notification process.” Malware made its way through normal Microsoft driver signing process In a second Friday post, Microsoft admitted a malicious driver has managed to get signed by the software giant. “The actor’s activity is limited to the gaming sector specifically in China and does not appear to target enterprise environments. We are not attributing this to a nation-state actor at this time,” the company said. “The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.” As a result of the incident, Microsoft said it would be “refining” its policies, validation, and signing processes. Microsoft added the drivers would be blocked through its Defender applications. While Microsoft called the malware a driver, Karsten Hahn of G Data, which discovered the Netfilter malware, labelled it as a rootkit. “At the time of writing it is still unknown how the driver could pass the signing process,” he wrote. Hahn said searching Virustotal produced sample signatures going back to March. Netfilter has an update mechanism after hitting a particular IP address, installs a root certificate, and updates proxy settings, Hahn said. Microsoft said for the attack to work, the attackers must have admin privileges for the installer to update registry keys and install the driver, or convince the user to do it themselves. Related Coverage More