Eliana Willis

The US Supreme Court has ruled that a police officer who obtained information from a licence database for a civilian, in exchange for money, did not violate federal hacking laws. The ruling clarifies the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) and what kind of conduct can be prosecuted. The CFAA became law after the US government found cybercrimes and hacking were not sufficiently addressed by legislation at the time. The case arose after the Federal Bureau of Investigation caught former Georgia police officer, Nathan Van Buren, using his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. When making the search, Van Buren used his own, valid credentials. After Van Buren was first charged, a US District Court convicted him of two charges: Violating police department policy of obtaining database information for a personal purpose and violating the CFAA by using a computer network in a way contrary to his job. Van Buren appealed those charges, however, which eventually brought the case to the US Supreme Court and its judgment. At the Supreme Court, the justices ruled 6-3 in favour of Van Buren as he had access to the database as part of his valid credentials. When making that ruling, the justices framed their judgment on whether Van Buren “exceeded his authorised access” when accessing the license plate database.

“In the computing context, ‘access’ references the act of entering a computer ‘system itself’ or a particular ‘part of a computer system,’ such as files, folders, or databases,” Justice Amy Coney Barrett said, who wrote the majority opinion. “It is thus consistent with that meaning to equate ‘exceed[ing] authorised access’ with the act of entering a part of the system to which a computer user lacks access privileges.” The three judges who dissented against the decision, Justices Clarence Thomas, Samuel Alito, and John Roberts, believed that Van Buren did breach the hacking laws as he was forbidden from using the computer to obtain the licence information. “Van Buren’s conduct was legal only if he was entitled to obtain that specific license-plate information by using his admittedly authorised access to the database. He was not. A person is entitled to do something only if he has a ‘right’ to do it,” Thomas wrote in his dissenting opinion. In making the dissent, Thomas analogised Van Buren’s conduct to an employee pulling an alarm for a self-motivated reason or a valet accessing a patron’s car and then proceeding to go on a joyride. “An employee who is entitled to pull the alarm in the event of a fire is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared,” Thomas wrote. With the judgment, the CFAA charge against Van Buren has been dropped, while the charge for violating department policy remains intact. Related Coverage More

Japanese conglomerate Fujifilm announced that it is suffering from a ransomware attack, becoming the latest victim of cyberattackers who in the last week alone have crippled everything from the largest meat processor in the US to the ferry system serving Martha’s Vineyard.In a statement, the company said it was investigating unauthorized access to its servers and had no choice but to shut down its network. On Tuesday evening, the company said it became aware that it was being hit with ransomware and spent the last two days trying to “determine the extent and the scale of the issue.”The photography and medical imaging giant said the attack had affected all of its external communications, including email and phone services. BleepingComputer spoke with Advanced Intel CEO Vitali Kremez, who said Fujifilm had been hit with the Qbot trojan in May and added that the people behind Qbot have been working with the REvil ransomware gang as of late.REvil caused outrage again this weekend after they were implicated in a ransomware attack on JBS, one of the world’s largest meat processors and a company providing about one fourth of the beef and pork in the US. They previously shut down Colonial Pipeline, causing gas shortages on the East Coast and national outrage that sparked more stringent cybersecurity guidelines for pipelines.Due to the increasing number of attacks, The White House released an open letter on Thursday titled, “What We Urge You To Do To Protect Against The Threat of Ransomware” from Anne Neuberger, deputy assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology. Despite the startling increase in ransomware attacks in the last few months, Neuberger touted the White House’s efforts to deal with the crisis, noting that the US government is currently “disrupting ransomware networks, working with international partners to hold countries that harbor ransomware actors accountable, developing cohesive and consistent policies towards ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds.”But she added that it was important for the private sector to do its part in addressing the cybersecurity posture of their organizations. 

“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” Neuberger said. She urged business leaders to “immediately convene their leadership teams to discuss the ransomware threat” and enhance security measures as well as continuity plans in case they are attacked. Neuberger included a list of best practices and suggestions that ranged from the creation of data backups to prompt system patches, third party cybersecurity reviews, and segmented networks. “Ransomware attacks have disrupted organizations around the world, from hospitals across Ireland, Germany and France, to pipelines in the United States and banks in the UK,” Neuberger wrote. “The US Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility.”Setu Kulkarni, vice president of strategy at WhiteHat Security, said the two pieces of advice that stood out from the letter are the incident response testing and pen testing. Kulkarni explained that often organizations treat incident response plans like business continuity plans, only creating them for compliance. “We need to make a change here to treat the incident response plan much like a fire drill or an earthquake drill so that when the inevitable breach happens, the entire organization is clear on the first few steps and that will give them the time they need to counter the threat effectively rather than scrambling at the nth minute,” Kulkarni said. “The memo should be updated to further emphasize penetration testing of production systems in a continuous manner — this is important because while the production systems may not change that often, the adversary and the threat landscape are fast evolving in an attempt to breach these production systems.” Focusing on continuous production security testing of web, mobile and API applications, Kulkarni added, should be non-negotiable. But Kulkarni said the memo fell short because it does not create an environment of incentives and disincentives for organizations to double down on these security fundamentals. Tony Cole, CTO of Attivo Networks and a former executive at FireEye, McAfee, and Symantec, told ZDNet that there were a variety of reasons behind the recent spate of ransomware attacks. Enterprises have an over reliance on vendors and in general, organizations continue to add digital tools to their operations which increase the complexity of work for cybersecurity officials.   Cole, who previously worked as a cyber operator for the US Army, added that there is a general lack of cyber defenders with the needed skill sets to keep organizations safe as well as systems that prevent privilege escalation. “No solution is perfect, and attackers will get into the enterprise if they are determined enough with the resources to back their efforts,” Cole said. “Organizations must understand that they can’t prevent all attacks.” Dozens of cybersecurity experts told ZDNet that the letter was an appropriate move considering the current landscape of cyberthreats. Many, like Egnyte cybersecurity evangelist Neil Jones, said there has been a marked shift from simple data theft and cyber-espionage to attacks specifically designed to cripple critical services and business productivity. Others echoed Neuberger’s letter in saying that companies now need to prepare for when, not if, they are hit with ransomware. Tom Garrubba, CISO of Shared Assessments, questioned why critical infrastructure organizations are not being held more accountable and said it was time for certain enterprises to be held to a higher level of legislative scrutiny, like financial institutions and even retail enterprises.”Perhaps it’s time to bring in the executives and board members of these breached organizations to publicly explain these breaches and how their organizations are addressing the IT risks in the current environment,” Garrubba explained. “Every C-Suite and BoD needs to be similarly prepared to answer these questions.”Sophos senior security advisor John Shier noted that the financial incentives of ransomware attacks need to be removed in order to address the problem. Shier said attackers want to hit where it hurts the most to increase their likelihood of a large payout, but most ransomware attacks aren’t targeted scenarios, as seen with the Colonial Pipeline attack. “Attackers are opportunistic. Once they realize they’ve secured a potentially lucrative victim, they go all in — that’s when they become targeted attacks,” he added, explaining that while no defense can be bulletproof, putting up tougher barriers will force cybercriminals to move on to easier targets.  While many experts said it was important to have plans in place for how to recover from an attack, Gurucul CEO Saryu Nayyar said organizations had to implement defenses that could reduce their attack surface and detect ransomware attacks in real-time. “The technology is available. It’s just a matter of putting it in place and working diligently to identify and derail cybercriminals and malicious insiders before they derail you,” Nayyar told ZDNet.But even with a slate of cybersecurity tools available, many IT teams and CISOs do not have the full buy-in from the leaders of their organization. The letter may help justify requests for bigger cybersecurity budgets and more help, according to Digital Shadows CISO Rick Holland. “One comment that stands out to me from Neuberger’s memo is the need for a ‘skilled, empowered security team.’ We so often focus on technology to solve our problems,” Holland said. “Focus on your teams first; have dedicated training and development programs.” Doug Britton, CEO of Haystack Solutions, said that while the recommendations from the White House were accurate and worthwhile, the biggest problem is finding a team able to implement the measures. “Unfortunately, with hundreds of thousands of cyber positions unfilled in the US alone, the million-pound gorilla in the room is, ‘where are the qualified cyber practitioners that can expertly implement the recommendations?'” Britton said.  “Ideally, the national strategy will also rethink the underlying economics of identifying the potential talent, decreasing the cost of training the talent, and retaining that talent in industry.”Kulkarni echoed those remarks, noting that the need for a skilled security team was one area where the gap is the largest between aspiration and reality.”There are just not enough security personnel in the world to staff security teams in organizations today,” Kulkarni said. “What is needed is a combinatorial approach: accelerated and scaled-up security training in the country for security professionals plus training the general population about avoiding risky online behavior.” More

When things take longer than they should, it takes up time that can be much more enjoyably spent elsewhere. There’s no reason for that, when the problem may be that you just don’t have the right software. And if that’s the case, then all you need in order to boost your productivity is The All-Star Mac Bundle Featuring Parallels Pro. Fortunately, it’s being offered at a 30% discount for a very limited time, when you use the code ALLSTARMAC.

For instance, you can streamline your operating systems usage by running macOS and Windows at the same time using the Parallels Pro: 1-Yr Subscription included in this bundle. Buyers really love this service, they gave it a remarkable 4.7 out of 5 stars rating on Trustpilot. Then you can protect your privacy forever, not only on your Mac but also on up to 5 other devices, with a lifetime subscription to FastestVPN. Since you don’t have to sacrifice speed for security, this is a critic’s choice. According to TenBestVPNs:”FastestVPN is one of the most promising VPN services in the market.”Once you’ve got your operations rolling along, you can really begin to turbocharge your productivity in perpetuity with what is arguably the most powerful contact manager you can use on a Mac, because a perpetual license to Busy Contacts is also part of this bundle. The Smart Filter and Tags features allow you to organize your contacts, plus you can sync with all the common cloud services and even integrate it with your social media accounts. While the Activity List keeps track of all your communications and other events with each contact.You will also get a lifetime license for both Macs and Windows to PDFChef, which lets you do everything you need to with pdf files, as well as a perpetual license for Moho Debut. That’s a fun 2D animation program you can use to make cartoons, videos, and more, even if you are a complete novice.Don’t miss this chance to get a 30% discount off The All-Star Mac Bundle Featuring Parallels Pro during the short time it’s available. Use the code ALLSTARMAC today and pay only $35.Prices subject to change.

ZDNet Recommends More

A recent Necro Python bot campaign has shown that the developer behind the malware is hard at work ramping up its capabilities.

On Thursday, researchers from Cisco Talos published a report on Necro Python, a bot that has been in development since 2015. The botnet’s development progress was documented in January 2021 by both Check Point Research (CPR) and Netlab 360, tracked separately as FreakOut and Necro. The developer behind the Necro Python bot has made a number of changes to increase the power and versatility of the bot, including exploits for over 10 different web applications and the SMB protocol that are being weaponized in the bot’s recent campaigns. Exploits are included for vulnerabilities in software such as VMWare vSphere, SCO OpenServer, and the Vesta Control Panel.  A version of the botnet, released on May 18, also includes exploits for EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147).  The bot will first attempt to exploit these vulnerabilities on both Linux and Windows-based operating systems. If successful, the malware uses a JavaScript downloader, Python interpreter and scripts, and executables created with pyinstaller to begin roping the compromised system into the botnet as a slave machine.  Necro Python will then establish a connection to a command-and-control (C2) server to maintain contact with its operator, receive commands, to exfiltrate data, or to deploy additional malware payloads.  A new addition to the bot is a cryptocurrency miner, XMRig, which is used to generate Monero (XMR) by stealing the compromised machine’s computing resources. 

“The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems,” the researchers say. “If the user opens the infected application, a JavaScript-based Monero miner will run within their browser’s process space.” Other features include the ability to launch distributed denial-of-service (DDoS) attacks, data exfiltration, and network sniffing.  A user-mode rootkit is also installed to establish persistence by ensuring the malware launches whenever a user logs in, and to hide its presence by burying malicious processes and registry entries.  Another upgrade of note is Necro Python’s polymorphic abilities. According to the researchers, the bot has a module to allow developers to view code as it would be seen by an interpreter before being compiled to bytecode, and this module has been integrated into an engine that could allow runtime modifications. The engine runs every time the bot is started and it will read its own file before morphing the code, a technique that can make bot detection more difficult.  “Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot,” Talos says. “This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More