Eliana Willis

Cybersecurity works best when people know that their corporate information security team will be sympathetic to mistakes. That’s because, if someone suspects they may have clicked a phishing link or fallen victim to a cyber attack, they’re much more likely to be open about it – and that helps the whole organisation stay secure against malicious hackers.Organisations face potential cyber threats on a daily basis as criminals attempt to breach networks using various methods including phishing in an effort to gain usernames and passwords, or even to lay the foundations for a malware or ransomware attack.The nature of cyber defence means that an attacker only needs to be successful once in order to find an opening. Often, that opening can come in the form of an employee unintentionally falling victim to a phishing email, an incident which if left undetected and unchecked, could have significant consequences for the organisation as a whole.Organisations should therefore be understanding with employees and encourage them to contact their information security team if they suspect they may have fallen victim to a phishing attack or any other potentially malicious activity.”The last thing I think we want to do is – whether people are at home or in the office – is is to create a sort of culture where you drive incidents or mistakes underground,” David Emm, principal security researcher at Kaspersky told ZDNet Security Update.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)”Because actually as an IT department, you want to know if somebody clicked a link and they shouldn’t, you want them to ring you up and say ‘I think I’ve done something silly, I didn’t realize I clicked on a link’ – great okay, we can manage that now we know about it”.

There’s a risk that if people are worried they’ll be punished for making a cybersecurity mistake, they won’t come forward to talk about it in the first place – and that’s only going to cause more serious issues, especially if cyber criminals have managed to infiltrate the network.”If people don’t want to tell you, because they think they’re going to get into serious trouble, it just goes underground and you have no visibility of that,” said Emm.And if organisations don’t have any indication that there could be malicious activity within their network, they can’t look for it, meaning a malicious hacker could be inside the network for a long time, laying the groundwork for a significant cyber attack.So making sure employees feel comfortable coming forward about potential incidents, and that the information security team is going to be sympathetic – rather than punishing them – is key to helping the whole organisation stay safe from cyber attacks.”Trying to encourage a feeling whereby people feel enabled or empowered to say things is really important, because that way, if you have visibility into it, you can manage it,” said Emm.MORE ON CYBERSECURITY More

A cross-site scripting (XSS) vulnerability has been found in a WYSIWYG editor used by at least 30,000 websites. 

Discovered by Bishop Fox security consultant Chris Davis and publicly disclosed on Wednesday, the bug, tracked as CVE-2021-28114, impacts Froala version 3.2.6 and earlier. Froala is a lightweight What-You-See-Is-What-You-Get (WYSIWYG) HTML rich text editor for developers and content creators. Wappalyzer estimates that Froala is in use by approximately 30,000 web domains.  According to Bishop Fox, the WYSIWYG editor contains a security flaw in its HTML sanitization parsing protocol, allowing attackers to bypass existing XSS protections.  The vulnerability can be triggered by inserting a JavaScript payload in an HTML event handler within specific HTML and MathML tags, which will cause the parser to mutate the payload into JavaScript commands.  “The XSS is caused by a confusion during the HTML parsing sequence,” Davis said. “The < math > tag causes the parser to switch its namespace context from HTML to MathML, which does not parse in the same manner as HTML. The < iframe > and embedded HTML comment < !-- causes the parser to switch context during the tokenization phase of HTML parsing and read the strings that follow as user data (RCDATA) rather than computer instructions." Bishop Fox As a result, XSS can be triggered. Cross-site scripting attacks often allow attackers to act as a victim user when they interact with a vulnerable application, and consequences can range from privilege escalation to data leaks or, in the worst scenarios, actions such as forcing an unauthorized fund transfer.  "In Froala's case the vulnerability may reflect itself as either stored or reflected depending on the application that uses it and therefore the impact will vary," the researcher says. "The context of the application leveraging Froala will also dictate the impact of the vulnerability." CVE-2021-28114 was first discovered on February 26 and Froala was contacted on March 4. The vendor developed and released a patch in version 3.2.7 on May 18, however, Bishop Fox retested the software and found that the bug, in some configurations, had not been fully resolved. While a public disclosure timeline extension was offered, no adjustments were made.  When contacted, the vendor pointed us to the changelog. XSS bugs were previously patched in versions 3.2.2 and 3.2.3.To mitigate the risk of this vulnerability, users should upgrade to at least version 3.2.7. The latest version available, v.4.0, was released on June 1.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals in underground forums have been soliciting techniques for compromising cryptocurrency services.

Capture the Flag competitions, conference calls for papers, and gamification in cybersecurity courses designed to equip learners with hands-on skills are all common in the white hat realm, but in opposition, contests are also being launched by cybercriminals to create new offensive techniques.  Over the past month, according to Intel 471, operators of Russian underground forums have been running a competition asking for papers that examine “how to target cryptocurrency-related technology.” Starting April 20, the contest requests unorthodox methods covering everything from the theft of private keys and wallets used to store cryptocurrency including Bitcoin (BTC) and Ethereum (ETH) to submissions for “unusual” cryptocurrency mining software, as well as proposals relating to smart contracts and non-fungible tokens (NFTs). According to the team, proposals were accepted over 30 days with the forum administrator claiming that $100,000 in prizes would be awarded to the ‘best’ research — and a further $15,000 was shortly added to the pool.  Some papers were posted for the wider forum to appraise, including ways to manipulate APIs used by cryptocurrency platforms, the use of phishing websites to harvest keys and seed phrases, and more.  Underground forum contents are nothing new, and similar forums have launched their own versions in the past asking for everything from software vulnerabilities to ATM and point-of-sale (PoS) exploits. 

However, the cryptocurrency-focused contest does highlight how the virtual alternative to fiat currency is lucrative — despite, or perhaps because of, the volatility of some coins — and not just because of how cryptocurrency is abused by ransomware operators.  A security researcher kept a major Bitcoin Core vulnerability secret for two years that could be used to crash the main BTC blockchain alongside Bcoin, Btcd, and similar blockchains. This vulnerability was quietly patched before another researcher stumbled across the same issue and its existence was made public.  Other cryptocurrency and blockchain-related security problems of note this year are Akamai’s discovery of a botnet using BTC mining activities and the blockchain at large as a method of obfuscation, and the use of March’s Microsoft Exchange Server zero-days to install cryptocurrency mining software on vulnerable machines.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

IBM has awarded a total of $3 million in grants to US school districts to bolster their defenses against ransomware operators.

All United States public K-12 school districts were eligible to apply for the grants, designed to help school officials “proactively prepare for and respond to cyberattacks.”The grants, worth $500,000 each, have been awarded to school districts in Florida (Brevard Public Schools), New York (Poughkeepsie City School District), Georgia (KIPP Metro Atlanta Schools), Texas (Sheldon Independent School District), California (Newhall School District), and Colorado (Denver Public Schools).  IBM says that applicants were judged on their “cybersecurity needs and experiences, community resources and potential risks.” The IBM Education Security Preparedness Grant will sponsor IBM Service Corps, a group established in 2008 that will visit districts and review their current cybersecurity postures, as well as create assessments to identify “pain points” that need to be addressed to deal with ransomware.  Ransomware is a form of malware that in recent years has proved to be an extremely lucrative avenue for cyberattackers. If an intrusion and infection occur, victims will find themselves locked out of their systems and faced with a blackmail demand, usually in cryptocurrency and reaching millions of dollars, in return for a decryption key.  This key may or may not work, and if victims refuse to pay, they may also be faced with a double-extortion tactic — in which any confidential data stolen during the initial stages of a ransomware attack will be leaked online or sold unless they bow to the cybercriminals’ demands. 

We’ve seen just how disruptive these attacks can be through the global WannaCry outbreak, and more recently, a ransomware outbreak on Colonial Pipeline’s networks that caused fuel shortages as well as the impact on patients of Ireland’s health service, which has also been targeted by ransomware operators.  When it comes to schools, 2020 was a “record-breaking” year for cyberattacks, according to the K-12 Security Information Exchange. In the organization’s latest report on K-12 security, the group says that attacks have highlighted “significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem.” IBM says that the applications received revealed there is a massive disparity in cybersecurity budgets, with half of school districts able to raise less than $100,000 for cybersecurity spending — an especially problematic fact for smaller districts, which face the same cybersecurity challenges as larger districts able to raise millions of dollars.  Over 7,800 US schools and over 4 million students were represented in the applications. In total, over 40% of districts said they had already suffered a ransomware attack, and over 55% of school districts have no security training programs in place.  The grant receivers will begin working with IBM this summer.  “It’s extremely encouraging to see how many school districts are taking an active role in trying to better their cybersecurity,” said Christopher Scott, Director of Security Innovation, Office of the CISO at IBM. “This is not only an important decision as schools continue to operate remotely, but also as students look to get back to the classroom.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Reserve Bank of Australia (RBA) said it is looking to modernise its identity and access management (IDAM) capabilities by introducing more automated controls to its existing platform. The RBA explained it currently relies heavily on a mix of manual and automated processed to enforce bank controls but believes a new IDAM environment would help “futureproof” the bank, reduce the risk of unauthorised data access, and support staff with the delivery of normal operational activities. “Whilst these processes are acceptable in the current landscape, additional capabilities have been identified to implement more robust controls so as to future proof and make these fully effective in their intended undertakings,” the RBA said in its tender request. “In order to realise this initiative, the IDAM project has been initiated, where the bank is seeking the supply of one or more products and related services to uplift this technology area.” Under the IDAM project, the RBA identified that it wants to see the delivery of an identity governance and administration, hybrid identity infrastructure and password-less multi-factor authentication capabilities, privilege access management system, and customer identity access management integration. Read also: There are 84 high-cost IT projects underway by the Australian governmentAccording to the request for tender, the RBA wants the solutions to have a minimal on-premise footprint, but it did not specify whether it needed to be completely in the cloud, despite the fact that the bank is currently implementing a cloud-focused strategy.

The successful vendor will enter an 18-month contract, with a possible three-year contract for ongoing support.  The planned start date for the project is November 2021 with an expected completion date by April 2023.During a round of audits last year, the Australian National Audit Office found the RBA was effective in managing cybersecurity risks and had implemented controls in line with the requirements of the Information Security Manual, including the Top Four and other mitigation strategies in the Essential Eight. The bank’s assistant governor of corporate services Susan Woods detailed that the bank also relies on other arrangements to remain cyber resilient, including formal and not so formal training, team-bonding exercises, and holding “FedEx days” for security specialists. “We use many different tactics from formal training to email campaigns and events like our FedEx days to try and educate and make people more aware,” she told the Joint Committee on Public Accounts and Audit last May. “We call them FedEx days because we take a particular security challenge and within a day they have to identify, design, and implement a solution to the challenge so they tend to be small problems but nevertheless, meaningful ones, and we get people talking and thinking about the problems that we might face from a cyber perspective, and how they could deal with those.” Related Coverage Reserve Bank of New Zealand investigates illegal access of third-party systemReserve Bank calls in big banks for Aussie blockchain-based digital currency projectRBA says entrepreneurial ‘dynamism’ key to a post-coronavirus Australian economyReserve Bank of Australia gets ‘data bunker’ project underway More