More stories

  • in

    ANAO: Auditing not driving improvements in Commonwealth cybersecurity adherence

    The Australian National Audit Office (ANAO) has said it considered continued transparency through reporting to Parliament where cybersecurity risk is concerned to be a positive, but it remained concerned that this may not be enough to drive improvement. In documentation [PDF] prepared for the Joint Committee of Public Accounts and Audit (JCPAA), ANAO said it was clear that auditing and reporting alone has not driven improvement in compliance with the government’s cybersecurity policy. “Non-corporate Commonwealth entities have not been held to account for not meeting the mandatory cybersecurity requirements under PSPF Policy 10,” it wrote, in reference to the Protective Security Policy Framework (PSPF) Policy 10, which is centred on safeguarding information from cyber threats. “The current framework to support responsible ministers in holding entities accountable within government is not sufficient to drive improvements in the implementation of mandatory requirements.”The JCPAA last year reviewed a pair of reports from ANAO and handed down a number of recommendations in its own report published in December. One of the recommendations asked ANAO to consider conducting an annual limited assurance review into the cyber resilience of Commonwealth entities.”The review should examine and report on the extent to which entities have embedded a cyber resilience culture through alignment with the ANAO’s framework of 13 behaviours and practices,” JCPAA asked. “The review should also examine the compliance of corporate and non-corporate entities with the Essential Eight mitigation strategies in the Information Security Manual and be conducted for five years, commencing from June 2022.”ANAO said implementing the recommendation has posed a number of practical challenges from an audit perspective, with the first being it considers there to likely be cybersecurity risk concerns raised by ASD.

    “ASD has advised that a system-level report would pose cyber risks that it believes would be unacceptable. Given ASD is the technical expert, it is best placed to assess those risks and therefore difficult for the ANAO to take a different view,” it said. ANAO also considers the scope proposed in the recommendation as challenging, given that only non-corporate Commonwealth entities are mandated to apply the PSPF. It said the fact that there are currently 98 non-corporate entities subject to the policy has also created a scope challenge. “The absence of assurance over material reported by entities to AGD in their self-assessments means that audit procedures would need to be conducted across the population of entities’ self-assessments (whole or risk-based sample) to assure accuracy,” ANAO added.It also said limited assurance procedures do not result in a report, which informs the Parliament about the actual implementation of cybersecurity requirement.”Current ANAO work in cybersecurity in both financial statements audits (IT controls) and in performance audits indicate that the ANAO is likely to find issues with the accuracy of self-assessments,” it wrote. “In the event that accuracy issues are found, the ANAO would conclude that the report could not be relied upon, but would not report on whether entities actually do meet the requirements of the PSPF.”RELATED COVERAGEANAO finds two government departments inaccurately self-reported cyber complianceThe Audit Office report shows the Attorney-General’s Department and Department of the Prime Minister and Cabinet did not accurately self-report full implementation of one or more Top Four mitigation strategies.ACSC introduces Essential Eight zero level cyber maturity and aligns levels to tradecraftOverhaul of Essential Eight Maturity Model sees levels aligned with the sophistication of cyber tradecraft to attempt to prevent.Cybersecurity the responsibility of agencies, not us, AGD and ASD sayDespite being responsible for setting cybersecurity policy and monitoring its adherence across the board, the Attorney-General’s Department and the Department of Defence have said it’s the responsibility of Commonwealth entities themselves and any questions should be directed as such. More

  • in

    Brazil creates cyberattack response network

    Brazil has created a cyberattack response network aimed at promoting faster response to cyber threats and vulnerabilities through the coordination between federal government bodies. Created through a presidential decree signed on July 16, the Federal Cyber Incident Management Network will encompass the Institutional Security Office of the presidency as well as all bodies and entities under the federal government administration. Public companies, mixed capital companies and their subsidiaries may become members of the network on a voluntary basis. The network will be coordinated by the Information Security Department of the Office of Institutional Security of the presidency, through the government’s Center for Prevention, Treatment and Response to Cybersecurity Incidents.The Digital Government Secretariat (DGS), which operates under the the Special Secretariat for Management and Digital Government of the Ministry of Economy, will have a strategic role in the formation of the network. The DGS is the central body of SISP, a system utilized for planning, coordinating, organizing, operating, controlling and supervising the federal government’s information technology resources across more than 200 bodies.

    According to the DGS, the information sharing outlined in the decree that creates the network is expected to improve the articulation of SISP in terms of prevention of incidents, as well as actions required in a possible cyberattack. The Secretariat also implied that there is an expectation that public companies such as Dataprev, the government’s social security technology and information company, and Serpro, the federal data processing service, will join the initiative even though their participation is not compulsory.Having immediate knowledge about attacks as well as potential vulnerabilities being exploited will enable the Secretariat to alert other bodies to enforce the necessary containment measures, it noted, adding that another area of focus could include the development of guides and training to address the main issues identified by the network.Mentioning Brazil’s improvement in the latest Global Cyber Security Index by the United Nations, where Brazil rose 53 positions in the ranking from the 70th place in 2018 to the 18th position in 2021 – the best result across all of Latin America – digital government and management secretary Caio Mario Paes de Andrade noted the creation of the network will help the Brazilian federal government to further strengthen its role in confronting cyber threats.

    “The advancement of digital transformation must be accompanied by the protection of users and we have ensured this protection”, the secretary noted. “The network’s rational is to further foster the culture of coordinated confrontation within the government, so that we can continue advancing on the issue of cyber security.”According to a survey released earlier this month, Brazilians are concerned about the security of their data. The survey has found that the fear of cyber attacks is high among Brazilian users, with 73% of respondents reported having suffered some kind of digital threat, such as receiving fake messages from companies and stolen passwords. More

  • in

    Kaseya denies paying ransom for decryptor, refuses comment on NDA

    Software company Kaseya has denied paying a ransom for a universal decryptor after days of lingering questions about how the tool was obtained. On July 21, the company announced that a universal decryption tool had been obtained “from a third party” and that they were working with security company Emsisoft to help victims of the sprawling ransomware attack. On Monday, Kaseya released a statement denying rumors that they paid a ransom to REvil, the ransomware group that launched the attack. REvil initially released a ransom demand of $70 million but reportedly lowered it to $50 million before their entire operation went dark on July 13.”We are confirming in no uncertain terms that Kaseya did not pay a ransom — either directly or indirectly through a third party — to obtain the decryptor,” Kaseya’s statement said. “While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment.”The statement goes on to address reports suggesting that their “continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks.” 

    Kaseya attack

    According to the statement, Emsisoft and Kaseya’s Incident Response team worked through the weekend providing the decryptor to some of the 1,500 victims affected by the attack, which included a major supermarket chain in Sweden, Virginia Tech University and the local government computers in Leonardtown, Maryland. 

    The company said it is encouraging any victims to come forward, adding that the tool “has proven 100% effective at decrypting files that were fully encrypted in the attack.”While the news of a universal decyptor was welcomed by hundreds of affected victims, some noted that there was a non-disclosure agreement that Kaseya was forcing companies to sign in exchange for the decryptor. CNN confirmed that Kaseya was requiring the non-disclosure agreement in order to gain access to the decryptor. Kaseya spokesperson Dana Liedholm and multiple cybersecurity companies involved told ZDNet they were unable to comment on the non-disclosure agreement. Former White House Chief Information Officer and cybersecurity expert Theresa Payton said non-disclosure agreements after attacks are more common that one would think but noted that “asking for an NDA from victims is not an everyday, every incident practice.” “When a cyber incident impacts multiple victims in a supply chain attack, sometimes the legal counsel will ask victims to sign an NDA to ensure that the fix for the problem does not get disclosed publicly,” Payton said. Payton added that the reasons behind asking for a non-disclosure agreement are not always nefarious and urged companies to consult their lawyers before signing anything. “If the reason behind the NDA is to ensure that the 3rd party that provided the key is not disclosed and the manner in which the decryption is made available is not disclosed, then the NDA makes a lot of sense,” Payton told ZDNet. “We don’t want to tip our hands publicly to the cyber operatives behind any of the ransomware syndicates. We need to keep the nefarious cyber operatives guessing. If the NDA is not for that reason and is instead a legal maneuver to avoid lawsuits that is disappointing. Given the large impact, it is understandable why their legal counsel might recommend the NDA for legal protections.” Mark Kedgley, CTO at New Net Technologies, said it was an extremely rare set of circumstances considering Kaseya is both the exploited vendor and the provider of the decryption kit. He added that the NDA “will help diminish further analysis and discussion of the attack.” “While you could see this would be desirable for Kaseya, it won’t further the cyber security community’s understanding of the breach,” Kedgley said.  More

  • in

    Ransomware: Here's how much victims have saved in ransom payments by using these free decryption tools

    Ransomware gangs been prevented from making over a billion dollars following ransomware attacks by free decryption tools made available by the No More Ransom scheme.  The project, founded by Europol, the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee, launched five years ago and has grown to involve 170 partners across law enforcement, cybersecurity companies, academia, and others.  The No More Ransom portal now offers 121 free ransomware decryption tools which can decrypt 151 ransomware families. They’ve helped more than six million ransomware victims recover their encrypted files for free – all without the need to give into the demands of cyber extortionists.  Available in 37 languages, ransomware victims around the world have used the portal to help against ransomware attacks. The website’s ‘Crypto Sheriff’ allows users to upload encrypted files to help identify which form of ransomware they’ve fallen victim to, then directs them to a free decryption tool if one is available.   So far, this has saved victims from paying just over €900 million – or just over a billion dollars – to cyber criminals, disrupting ransomware groups ability to profit from their campaigns.  “Together we will do everything in our power to disrupt criminals’ money-making schemes and return files to their rightful owners, without the latter having to pay loads of money,” says the mission statement on the No More Ransom website.  SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

    To mark the five-year anniversary of No More Ransom, the website has been updated to be more user friendly, with updated information on ransomware as well as advice on how to prevent a ransomware infection – for both regular and business users, because as Europol notes, “Anyone can be a target – individuals and companies of all sizes”.  That advice includes regularly making backups of data, so that in case of a ransomware attack, the network can be restored in the least disruptive way possible with the most recent data available.   No More Ransom also suggests that software and operating systems are kept up to date with the latest security patches, to stop cyber criminals from exploiting known vulnerabilities to help carry out ransomware attacks.  It’s also suggested that corporate networks and remote desktop protocol (RDP) services are secured with multi-factor authentication, to provide an extra barrier to help stop cyber criminals from being able to access the network in the first place.  No More Ransom also recommends that despite the disruption caused by ransomware attacks, victims shouldn’t give in and pay. Not only because there’s no reason to trust that criminals will provide a legitimate decryption key, but paying just shows that ransomware works, encouraging further attacks.  “If the ransom is paid, it proves to the cyber criminals that ransomware is effective. As a result, cyber criminals will continue their activity and look for new ways to exploit systems that result in more infections and more money on their accounts,” says the No More Ransom advice.


  • in

    Microsoft: Here's how to shield your Windows servers against this credential stealing attack

    Microsoft has posted an advisory and detailed instructions on how to protect Windows domain controllers and other Windows servers from the NTLM Relay Attack known as PetitPotam.

    ZDNet Recommends

    The PetitPotam take on the NTLM Relay attack was discovered last week by French security researcher Gilles Lionel, as first reported by The Record. The tool Lionel posted can “coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function,” he explains.  In other words, the attack can make a remote Windows server authenticate with an attacker and share Microsoft NTLM authentication credentials and certificates.  Microsoft notes that PetitPotam “is a classic NTLM Relay Attack” that it describes in a 2009 security security advisory, which it says “can potentially be used in an attack on Windows domain controllers or other Windows servers.” It says customers may be vulnerable to PetitPotam if NTLM authentication is enabled on a domain and Active Directory Certificate Services (AD CS) is in use with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.  To prevent NTLM Relay Attacks that meet these conditions, Microsoft advises domain admins to ensure that services that permit NTLM authentication must “make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing.” “PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks,” Microsoft notes in ADV210003.  

    Microsoft has provided more detailed mitigation instructions in a separate KB article, KB5005413. Microsoft’s “preferred mitigation” is disabling NTLM authentication on a Windows domain controller.  But it also has detailed and graphical instructions for alternative mitigations if it’s not possible to disable NTLM authentication on a domain. “They are listed in order of more secure to less secure,” it notes. More

  • in

    Want lifetime VPN protection and a Hushed private phone line? Now you can for just $30

    (Image: StackCommerce)
    There are so many threats to our personal data, even from companies we are supposed to be able to trust, it can sometimes seem like it’s impossible to stay safe. But it may be a whole lot easier to protect yourself than you imagined when you have the right tools. The Lifetime Mobile Privacy & Security Subscription Bundle may actually be all that you need.

    see also

    Best VPN services

    Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

    Read More

    You get a lifetime subscription to KeepSolid VPN Unlimited, which will allow you to browse forever while protecting all of your online activity. It has a wide variety of features that will work together to keep hackers out of your sensitive personal data. You will enjoy military-grade encryption with no limits to your speed or bandwidth, and there is even a kill switch.The service has over 400 servers, so you can also access content regardless of geographic restrictions. It works on Windows, macOS, iOS, and Android, so you can use it on your computer, laptop, and mobile devices.KeepSolid VPN was named PC Mag’s Top VPN and Laptop Review Pro’s Best VPN for Laptop, so you know that the service will do exactly as it claims.The second part of the bundle is a Hushed Private Phone Line that includes 6,000 SMS messages or 1,000 voice minutes that automatically renew every year. This service provides you with a secure extra phone number that allows you to keep your real phone number hidden. Instead of having to commit to another expensive, long phone contract, you can use choose from hundreds of US or Canadian area codes to use for Craigslist, dating, work, and more. You can add more minutes or messages at any time and make calls using WiFi or mobile data.Hushed Private Phone Line is extremely popular. It has received more than 5,000 reviews on the App Store and has an average rating of 4.6 out of 5 stars.Now you can protect yourself while browsing, talking, and texting. Don’t pass up this chance to get The Lifetime Mobile Privacy & Security Subscription Bundle while it’s on sale for just $29.99.

    ZDNet Recommends More

  • in

    Twitter handle swatter jailed after victim dies following home raid

    A man has been jailed for his role in a swatting incident leading to the death of a 60-year-old man.

    The victim, Mark Herring, was a resident of Tennessee and owned the Twitter account @Tennessee, which happened to be a sought-after name.  As reported by the Washington Post, the coveted handle was the object of Shane Sonderman, who was just under 18 years old at the time.  Sonderman, together with co-conspirators, attempted to coerce Herring into giving it up by intimidating him and his family. These methods included harassing texts, cash-on-delivery food orders, and phone calls, the aim being to obtain the handle and then sell it on.  According to federal prosecutors, in April 2020, the harassment reached a new level when Herring’s address and contact information was posted to a Discord server used by a group dedicated to obtaining valuable Twitter and Instagram handles.  “C.B,” a minor in the United Kingdom, then used this information to report a murder at Herring’s home falsely. This is known as “swatting,” in which a fake report of a serious crime is illegally made to send armed law enforcement to a victim’s home address and has been commonly reported during gaming live streams. 

    Following the swat, Herring had a heart attack and passed away. His daughter told NBC that she believed he had been “scared to death.”  While out on bond, Sonderman reportedly continued to harass others for their social media handles, leading to re-arrest. Sonderman was charged with conspiracy in Memphis federal court and will now spend five years in prison. Sonderman agreed to plead guilty in return for other charges, including wire fraud, to be dropped. He must also adhere to three years of supervised release. US prosecutors say that the 20-year-old was part of a series of events that triggered a “juvenile halfway across the globe calling for emergency responses to a non-emergency.” This is not the first time swatting has had tragic consequences. In 2019, a California man was sentenced to 20 years behind bars for making swatting calls leading to a Kansas man being fatally shot by law enforcement. 

    Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

    ZDNet Recommends More

  • in

    WhatsApp chief says government officials, US allies targeted by Pegasus spyware

    The head of WhatsApp says that “allies” of US officials are among those targeted by NSO Group spyware in 2019. 

    Speaking to The Guardian, WhatsApp’s chief executive, Will Cathcart, said there are “parallels” between the 2019 attacks and a recent data leak allegedly implicating NSO Group clients in widespread cybersurveillance. Israeli vendor NSO Group has experienced bad press in recent weeks due to a damning report issued by Forbidden Stories, Amnesty International, and various media outlets worldwide. Forbidden Stories claimed that a leaked list of over 50,000 phone numbers allegedly revealed individuals either “of interest” or selected for targeting by clients. According to the non-profit’s Pegasus project, while an appearance on the list does not mean that someone was targeted or compromised by Pegasus, infection by the firm’s spyware was confirmed in “dozens” of cases.  Pegasus spyware has capabilities including remote access, both email and browser monitoring, location checks, information exfiltration, call recording, and the extraction of conversations across messaging applications including WhatsApp and Facebook. NSO Group markets its products for use in criminal and terrorism-related investigations. Alongside the alleged targeting of government officials, journalists, diplomats, political dissidents, lawyers, and activists were reportedly included in the leak. 

    In 2019, WhatsApp filed a complaint against NSO Group, alleging that the company was responsible for the targeting of at least 100 human rights activists, journalists, and other figures of interest. A vulnerability in the WhatsApp video calling feature, since resolved, was allegedly exploited to load spyware on victim handsets without user interaction.  In the latest leak, a phone number belonging to the president of France, Emmanuel Macron, was said to be included in the records. Macron has now reportedly spoken to Israel’s Prime Minister, Naftali Bennett, to obtain assurances that the country is “properly investigating” the allegations laid at NSO Group’s door. However, NSO Group says that Macron was not a “target.” In contrast, last week, it was reported that India’s opposition leader, Rajiv Gandhi, was selected. In addition, it has been alleged that Pegasus has been used to covertly monitor the mobile devices of up to 1,000 citizens in the country over the past six years.  Morocco has reportedly filed a complaint against Amnesty International and Forbidden Stories, citing defamation over claims the government used Pegasus to target French reporters and lawyers. Amnesty International has stood by the validity of the data set.  Cathcart said the incident should be a “wake-up call” to all of us, adding that governments should take an active role in creating accountability for spyware vendors.  “NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this,” Cathcart told The Guardian. “Should they stop? Should there be a discussion about which governments were paying for this software?” In an update posted July 21, NSO Group said “enough is enough” and the company would no longer answer media inquiries related to the Forbidden Stories report, and it would “not play along with the vicious and slanderous campaign.” The spyware seller said the lists obtained were not related to NSO Group and the firm does not “have access to the data of our customers, yet they are obligated to provide us with such information under investigations.” “NSO will thoroughly investigate any credible proof of misuse of its technologies, as we always had, and will shut down the system where necessary,” the company added.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More