Information Technology

Ensign InfoSecurity has inked a partnership with Singapore’s Autism Resource Centre (ARC) to roll out an employment scheme designed for individuals on the spectrum. The programme, which has led to three hires, caters to these professionals’ specific cognitive strengths, such as pattern-recognising skills and the ability to grasp spatial concepts.The collaboration aimed to create career opportunities by identifying and training suitable individuals for the industry, said the cybersecurity vendor in a statement Friday. Established in 2000, ARC is a not-for-profit charity that focuses on supporting children and adults on the autism spectrum. It provides various services such as an early intervention programme as well as operates autism-focused Pathlight School, two social enterprises, and Employability & Employment Centre. 

It worked with Ensign to design the employment programme for neurodiverse professionals with cognitive strengths, including analytical, 3D visualisation, and extended focus capabilities. Such skills made these individuals a “natural fit” for cybersecurity roles, said Ensign, which is a wholly-owned subsidiary of local telco StarHub and state-owned investment firm Temasek Holdings. Three hires already had undergone a training curriculum that encompassed IT basics, networking, and cybersecurity fundamentals. In addition, these individuals received specialised training that included operations managed by Security Operations Centre (SOC) and were taught how to handle attack vectors.  Ensign has employed these individuals as SOC analysts, one of whom is associate SOC analyst Daryl Loh. Expressing his support for the programme, Loh said now was able to monitor and analyse security threats, as well as advise his clients when relevant alerts surfaced.Ensign said it was targeting to hire up to 16 neurodiverse individuals a year, running the training programme up to four times annually. The security vendor added that it hoped to have such employees account for 2% to 3% of its total workforce. It also rolled out an “structured” strategy across its organisation to help these individuals acclimatise and integrate with their colleagues. ARC’s executive director Jacelyn Lim said: “We hope this [programme] may become a blueprint for companies in the technology and cybersecurity sectors to harness the potential of these individuals in employment.”Ensign’s CIO and executive vice president of managed security services Steven Ng said: “We are confident our neurodiverse employees will introduce new thinking and fresh ideas to help us evolve our strategies, services, and solutions. We are also elevating our capabilities by hiring mid-career professionals from other industries and encouraging more female cyber talents to join the sector. This is part of our strategy to ensure we have the capabilities to constantly innovate and stay ahead of emerging cyber threats.RELATED COVERAGE More

This month, we are thrilled to announce new research: Role Profile: Security Analyst. This research is both a necessary document as well as a labor of love. I often say that security analysts have the worst job in the world, and for good reason: The hours are long, a simple mistake can have ramifications across the organization, and there is a wealth of tribal knowledge needed to succeed. Despite these factors, the security analyst is viewed as an entry-level role for most security teams. This, in part, makes it difficult for security leaders to find and retain talent — especially over security vendors that can often afford to pay more, provide better benefits, and offer better opportunities for advancement. The skill required to succeed is one of the main barriers to entry in this industry. Interviewees unequivocally stated that to succeed as a security analyst, working 8 a.m. to 5 p.m. was not enough. And despite being an entry-level role, our research showed that the average security analyst job description listed: One to three years of experience within cybersecurity: fewer years of experience required with a college degree, more years of experience with no college degree. Preferred bachelor’s degree, with consideration of high school degrees with several years of experience or certifications. Preferred certifications in one or more of the following: Certified Ethical Hacker (CEH), CompTIA CySA+, GIAC Certified Incident Handler. Familiarity with technical subjects, including a programming or scripting language, firewalls, proxies, security information and event management, antivirus, intrusion protection system/intrusion detection system concepts, technical knowledge of networking, operating systems, enterprise integrations, WAN/LAN concepts, ethical hacking tools, and TCP/IP protocols. The bottom line is that right now, an entry-level cybersecurity role has requirements much closer to an intermediate one. Time and time again, we hear about how hard it is to find and hire security analysts, yet the hiring requirements necessitate experience most potential candidates simply do not have. This research guides security pros on what they should look for in qualified candidates beyond — and oftentimes in the face of — traditional job qualifications like degrees, certifications, and previous expertise. Security leaders should highlight fundamental and unique skills in job descriptions, such as: Previous experience in adjacent roles, such as IT, infrastructure, networking, or administering and deploying IT tools. Previous experience in high-stress situations, such as an EMT, firefighter, armed forces, or other roles. Previous customer support experience. It’s important to remember that half of the point of the job description is to entice the candidate to apply to work at the company. Many job descriptions fail to provide what exactly the candidate will get out of the role. To avoid this pitfall, include opportunities for growth directly in the job description to show entry-level candidates what they will gain from working with your team. Security leaders should highlight valuable investments in their team in job descriptions, such as: A security education stipend for CompTIA, SANS, GIAC, or equivalent training certification. Percent of time spent in the role focused on broadening skills with various teams: governance, risk, and compliance, incident response, threat hunters, pentesters, etc. These are just a few areas we’ve highlighted in this research to help security pros navigate writing an effective job description for a security analyst role. This post was written by Analyst Allie Mellen and it originally appeared here. More

Six phony anti-virus apps have been removed from the Google Play app store because instead of protecting users from cyber criminals, they were actually being used to deliver malware to steal passwords, bank details and other personal information from Android users. The malware apps have been detailed by cybersecurity researchers at Check Point, who say they were downloaded from Google’s official app marketplace by over 15,000 users who were looking to protect their devices, which instead became infected with Sharkbot Android malware. Sharkbot is designed to steal usernames and passwords, which is does by luring victims into entering their credentials in overlayed windows which sends the information back to the attackers, who can use it to gain access to emails, social media, online banking accounts and more. The six malicious apps found by researchers aimed to attract Android users searching for antivirus, cleaner and security apps.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)It’s possible that victims were sent phishing links which directed them to the download pages for the Sharkbot infested apps. The apps were able to bypass Google Play store protections because malicious behaviour in the apps wasn’t activated until after they’d been downloaded by a user and the app has communicated back to servers run by the attackers. “We think that they were able to do it because all malicious actions were triggered from the C&C server, so the app could stay in the “OFF”-state during a test period in Google Play and turn “ON” when they get to the users’ devices,” Alexander Chailytko cyber security, research and innovation manager at Check Point Software told ZDNet. According to analysis of the malware, Sharkbot won’t infect everyone who downloads it – it uses a geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus. Meanwhile, most victims who downloaded Sharkbot appear to be in the United Kingdom and Italy. After identifying the apps, Check Point disclosed the findings to Google, which has removed the six apps from the Google Play Store. While the Sharbot-infected apps have been removed from Google’s official marketplace, they remain actively available on third-party sites, so users could still potentially be tricked into downloading them. ZDNet has asked Google for comment and will update this story if we get a response.Anyone who suspects they’ve downloaded a malicious app should immediately uninstall it, download a legitimate antivirus program to scan their device, and change any passwords on accounts that could’ve been stolen. If there’s any uncertainty about what to download or if an app is legitimate, looking at user reviews can help provide a clearer picture as if the app isn’t legitimate, reviews will often say so.  CYBERSECURITY More

Microsoft is rolling out an automatic Windows and Office software update service to its enterprise customers, which aims to turn ‘Patch Tuesday’ into just another Tuesday.Microsoft is releasing Windows Autopatch for its customers on enterprise E3 and upward contracts. The company revealed some information at its Windows hybrid work virtual event, where it explained how the Windows 11 could help businesses, but now it has provided more detail. Windows Autopatch will be released in July 2022, Microsoft says in an FAQ. The managed service will deliver Windows 10 and Windows 11 quality and feature updates for drivers, firmware, and Microsoft 365 apps like Teams, Word, Outlook and Excel.

Businesses haven’t adopted Windows 11 quickly due to Microsoft’s security-focussed minimum hardware requirements, but the software giant is betting that most enterprises will refresh hardware by the time Windows 10 support ends in October 2025. The Autopatch service is tied to Patch Tuesdays and aims to help “IT pros to do more for less”, it says in a blogpost.    “This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost. IT admins can gain time and resources to drive value. The second Tuesday of every month will be ‘just another Tuesday’,” Microsoft says. Making sure software is up to date has perhaps never been more important. The White House is worried enough about Russian, Chinese, Iranian and North Korean state-sponsored hackers and ransomware that it recently told all US organizations to enable multi-factor authentication. “Security postures must be hardened as new threats emerge. Innovations in hardware and software enhance usability and productivity. Enterprises must continually respond to stay competitive, enhance protection, and optimize performance,” Microsoft says. The pace of change has introduced “security gaps” that will catch late adopters on the back foot, according to Microsoft. “A security gap forms when quality updates that protect against new threats aren’t adopted in a timely fashion. A productivity gap forms when feature updates that enhance users’ ability to create and collaborate aren’t rolled out. As gaps widen, it can require more effort to catch up,” Microsoft says. For Windows Autopatch to work, customers need have Azure Active Directory (Azure AD), Microsoft’s Intune mobile device management service, and be running supported versions of Windows 10 and 11.Microsoft notes that Autopatch doesn’t require “specific hardware” but its Windows 11 hardware requirements still apply. The company will roll the updates out to a small set of devices first before expanding them to other devices. The approach sounds like its gradual roll outs of Windows 10 based on Microsoft’s machine learning analysis of hardware and drivers. But admins can pause Autoupdate if they run in to problems and can roll back versions when needed. “The outcome is to assure that registered devices are always up to date and disruption to business operations is minimized, which will free an IT department from that ongoing task,” it says. The service doesn’t support Windows Server OS and Windows multi-session. Some non-Microsoft drivers are supported through the service. Drivers approved for “automatic” are delivered through the service but drivers that are “manual” won’t be. All Surface devices will get driver updates via the service. Microsoft also explains that Windows Autopatch is different to Windows Update for Business because it is a managed service that it takes care of.  More

VMware is urging customers to update their software to resolve critical vulnerabilities, including a remote code execution (RCE) bug in Workspace ONE Access.

On Wednesday, the tech giant published a security advisory warning of vulnerabilities in its enterprise software. The products impacted are VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.The first vulnerability is CVE-2022-22954, impacting VMware Workspace ONE Access and Identity Manager. CVE-2022-22954 is described as a server-side template injection RCE and has been issued a CVSS severity score of 9.8. The vulnerability could be exploited by attackers as long as they have network access. VMware has also developed patches to resolve CVE-2022-22955 and CVE-2022-22956; both issued a CVSS score of 9.8, impacting VMware Workspace ONE Access. The vulnerabilities were found in the OAuth2 ACS framework. According to the vendor, “a malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.” Two other bugs, CVE-2022-22957 and CVE-2022-22958 (CVSS 9.1), have been resolved in Workspace ONE Access, Identity Manager, and vRealize Automation. Threat actors could trigger the deserialization of untrusted data through the JDBC URI parameter, which manages Java applications and their database connections, to trigger RCE. However, attackers must have administrative access. The same trio of software was also vulnerable to CVE-2022-22959 (CVSS 8.8), a cross-site request forgery (CSRF) bug which can be used to validate a malicious JDBC URI. VMware has also resolved CVE-2022-22960 (CVSS 7.8), a local privilege escalation bug, and CVE-2022-22961 (CVSS 5.3), an information leak in Workspace ONE Access, Identity Manager, and vRealize Automation. VMware has not found any evidence of the vulnerabilities being actively exploited in the wild. Patches are available, but if this is not possible, the vendor has also provided workaround instructions to mitigate attack risk. Steven Seeley, from the Qihoo 360 Vulnerability Research Institute, was thanked for privately reporting the vulnerabilities to VMware. In other VMware news this month, the vendor’s open source Spring Framework has been at the center of a storm surrounding SpringShell/Spring4Shell, a critical vulnerability in the software’s Core that could be exploited to achieve Remote Code Execution (RCE). Tracked as CVE-2022-22965 and issued a CVSS score of 8.1, Spring4Shell impacts Tomcat servicers operating Spring MVC/WebFlux with JDK 9+. In addition, the vulnerability also affects VMware Tanzu Application Service for VMs, Tanzu Operations Manager, and Tanzu Kubernetes Grid Integrated Edition.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The sector most heavily impacted by the Spring4Shell Java flaw is technology, according to security firm Check Point.Spring4Shell is a bug worth paying attention to and could be a software supply chain threat: Microsoft this week urged customers to patch the critical flaw in a widely-used framework for Java applications. The flaws include CVE-2022-22947, which affected VMware’s Tanzu products, as well as CVE-2022-22963 and CVE-2022-22965, affecting Java applications. Check Point said it continues to see exploit attempts against these vulnerabilities, and has data which suggests 16% organisations worldwide have seen attempts to exploits the flaws. Most of the targeted customers were based in Europe. In the first weekend of since the vulnerability was found, Check Point said it had seen around 37,000 attempts to allocate the Spring4Shell vulnerability.”The most impacted industry is software vendor where 28% of the organization were impacted by the vulnerability,” it said. This was followed by education/research and insurance/legal.”Organizations using Java Spring should immediately review their software and update to the latest versions by following the official Spring project guidance,” Check Point says. Java is widely-used for building enterprise software applications. Microsoft advises customers using Windows 11 to monitor registry keys through mobile device management (MDM) policies to ensure that security settings have not been changed. It also recommends use the built-in Windows Defender Application Control (WDAC) to mitigate kernel level attacks.   Microsoft said that it has “been tracking a low volume of exploit attempts across our cloud services” for these vulnerabilities.  More

Zoom has awarded $1.8 million to researchers who submitted bug bounty reports over 2021. 

Bug bounty programs, whether private and available to invitees-only or public, where anyone can submit a vulnerability report, have become a critical method for organizations to improve their security posture. The industry is beset with talent shortages. Estimates suggest that there will be approximately 3.5 million unfilled job openings by 2025 in the US alone, and until there are more specialists available, companies often can’t just rely on in-house security teams, who have more than enough of a workload.  This is where bug bounties come in: external researchers and bug hunters can perform tests on software and services, report any severe security issues, and receive credit and/or financial rewards in return.  The popularity of Zoom’s teleconferencing video software exploded overnight due to COVID-19 and lockdowns, with many of us forced to work from home. However, the rapid increase in users also highlighted security problems that had to be addressed quickly. Hence, a bug bounty program was one of the firm’s initiatives for improving the situation.  Zoom’s main program is private, but the platform actively recruits security researchers. Over 800 researchers participate in the program, which HackerOne hosts.  Over 2021, the software vendor has paid out over $1.8 million across 401 reports. In addition, since the program’s launch, over $2.4 million has been awarded. 
Zoom
Recent updates to the program include extending the bug bounty reward range on offer, with up to $50,000 per report for the most severe vulnerabilities and $250 for low-hanging fruit. The company also launched a public Vulnerability Disclosure Program (VDP) and a VIP bug bounty program for licensed software.  “While Zoom tests our solutions and infrastructure every day, we know it’s important to augment this testing by tapping the ethical hacker community to help identify edge-case vulnerabilities that may only be detectable under certain use cases and circumstances,” Zoom commented.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The European Court of Justice (ECJ) has effectively banned the general use of telecommunications data retention for combating crime across the European Union.In a judgment delivered by the ECJ’s Grand Chamber on Tuesday, the court ruled that when the objective is combating crime, “the general and indiscriminate retention of traffic and location data exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society”.”Criminal behaviour, even of a particularly serious nature, cannot be treated in the same way as a threat to national security.” Traffic data is defined in EU law as “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof”. Location data is “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”. This is more or less the same as what has been called “metadata” in Australia’s data retention debate. The now-invalid Irish Communications (Retention of Data) Act 2011 required telecommunications providers to retain all metadata for two years, and make it available to the Gardaí, the Irish national police, following a “disclosure request” issued by an officer ranked chief superintendent or above. A disclosure request could be issued for “(a) the prevention, detection, investigation or prosecution of a serious offence, (b) the safeguarding of the security of the State, [or] (c) the saving of human life.'” A “serious offence” was defined as one which is punishable by five years or more in jail, or one listed in a schedule to the Act. Metadata is “no less sensitive” than the content”In view of the sensitive nature of the information that traffic and location data may provide, the confidentiality of those data is essential for the right to respect for private life,” the court wrote.

The Charter of Fundamental Rights of the European Union guarantees both “the right to respect for his or her private and family life, home and communications” and “the right to the protection of personal data concerning him or her”. While the Charter protects all personal data, the ECJ noted that traffic and location data is particularly sensitive. “[Such] data may reveal information on a significant number of aspects of the private life of the persons concerned, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health.” This information enjoys special protection under EU law, for historical reasons which should be obvious. “Taken as a whole, those data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data have been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them,” the court wrote. “In particular, those data provide the means of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications.” The ECJ judgment does not prevent data retention to address threats to national security, however. These threats include such things as “protecting the essential functions of the State and the fundamental interests of society through the prevention and punishment of activities capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country and, in particular, of directly threatening society, the population or the State itself, such as terrorist activities”. “Unlike crime, even particularly serious crime, a threat to national security must be genuine and present, or, at the very least, foreseeable, which presupposes that sufficiently concrete circumstances have arisen to be able to justify a generalised and indiscriminate measure of retention of traffic and location data for a limited period of time.” A decision to implement data retention should be “subject to effective review” by a court or an independent administrative body, the court said. Convicted murderer Graham Dwyer may now be set freeThe ECJ decision relates to the 2015 conviction in Ireland of Graham Dwyer for the August 2012 murder of Elaine O’Hara, a childcare worker. As the Guardian put it, Dwyer had killed O’Hara after “grooming her for sadomasochistic fantasies that included stabbing women during sex”. “He committed what prosecutors called ‘very nearly the perfect murder’ but was caught and sentenced to life in prison after police tracked his movements through texts and phone data. There were no witnesses or physical evidence,” the Guardian wrote. “Dwyer appealed on the grounds the retention and accessing of his mobile phone data breached EU law.” According to the Irish Examiner, families of homicide victims are saying some murders could now go unsolved. They said it was “common sense” that the protection of life should take precedence over rights to privacy. But as the ECJ noted, “the effectiveness of criminal proceedings generally depends not on a single means of investigation but on all the means of investigation available to the competent national authorities for those purposes.” Dwyer is not yet free, however. His lawyers must now convince the Irish Supreme Court that the ECJ decision applies retroactively. European decision gives ammunition to Australian privacy advocates Australia’s mandatory data retention scheme is similar to the now-discredited Irish system. Australian telcos must retain metadata for two years. Officers from a range of agencies above a certain rank may request the retained data to investigate crimes punishable by three years or more in jail — a lower threshold than in Ireland. In the 2020-2021 financial year, more than 314,000 requests for telco data were made under this system. The ECJ’s judgment now gives ammunition to Australian digital rights campaigners who have long objected to data retention. “Australia’s data retention regime is essentially the same as the one the ICJ has found to be unlawful. It should be dismantled immediately,” said Justin Warren, chair of Electronic Frontiers Australia. “Surveillance is not safety. If Australia wishes to continue to claim to be a democratic society, we must abandon the reflexive surveillance set up to assuage the authoritarian desires of law enforcement and certain political actors. Our individual and collective privacy must be restored,” he told ZDNet. “Australia needs to decide what sort of country it wants to be. We can either be a liberal democracy or a country that uses indiscriminate mass-surveillance. We cannot be both.” However unlike the EU, and unlike other liberal democracies, Australia lacks a charter or bill of rights, the document which underpinned the ECJ decision. In December 2021, the Department of Home Affairs started work on a complete overhaul of Australia electronic surveillance laws. The creation of a new Electronic Surveillance Act was a key recommendation of a comprehensive review of Australia’s intelligence community. It aims to unravel the tangle of surveillance laws. Public submissions on that discussion paper closed on 11 February. An exposure draft of the proposed electronic surveillance legislation is planned to be released for public comment in late 2022. Related Coverage More