Information Technology

Morley Companies, an organization that provides business services to dozens of Fortune 500 companies, said this week it was hit with a ransomware attack last year that led to the leak of sensitive information for more than 500,000 people.  In a press release, the company said the ransomware attack began on August 1 and made their data “unavailable.” Despite requests for comment, the company would not explain why it waited until now to notify the 521,046 people affected, some of whom had their Social Security numbers leaked in the attack. The company said the attack affected the information of “current employees, former employees and various clients.” The information leaked includes names, addresses, Social Security numbers, dates of birth, client identification numbers, medical diagnostic and treatment information, and health insurance information.Morley said it hired cybersecurity experts to respond to the situation but needed six months to collect the “contact information needed to provide notice to potentially affected individuals.”Morley does not say it was a ransomware attack in the public notice, but in the letters sent to victims, they provide more information. In filings with the Maine’s Office of the Attorney General, the company explains that 521,046 people were affected. “That investigation revealed that a ransomware-type malware had prevented access to some data files on our system beginning August 1, 2021 and there was unauthorized access to some files that contained personal information. We then worked diligently to prevent further access and identify impacted individuals. Special programming was required and unique processes had to be built in order to begin analyzing the data,” Morley said. “The data complexity also required special processes to search for and identify key information. This process was lengthy but necessary to ensure appropriate notification occurred. On January 18, 2022, it was confirmed that your information was involved.”

The company said it would provide credit monitoring and identity theft protection services to those affected. A call center has been established to answer questions about the issue. The company offers back-office processing, meetings and incentives management as well as exhibits and displays production to its clients.Cerberus Sentinel’s Chris Clements said it is overwhelmingly likely that the attackers had access to Morley data for weeks or even months before they ran their ransomware, locking Morley and their customers out of their data.  “During this timeframe, people exposed to risk of fraud or identify theft may have been actively targeted while being oblivious to their risk. It’s incumbent upon any organization that stewards potentially sensitive data provided by their users that they not only defend it as well as possible, but that they also have the capabilities to quickly identify potentially compromised information and notify those affected should the worst happen. Those processes should be part of any incident response plan and regularly tested,” Clements said. “The unfortunate reality is that far too many organizations don’t have effective auditing controls to identify when data is access and by whom, or means to detect unusually high levels of access or exfiltration that can indicate that an attack is happening. Monitoring or controls to limit speed and volume of data access is a critical control that is often overlooked when planning cybersecurity strategy. Actions like alerting if a user’s account is accessing data during unusual or non-work hours or pulling 200 records in an hour when they normally access 20 can be instrumental in proactively detecting and limiting exposure from a potential breach.” More

Mozilla announced this week that four organizations have joined its latest Data Futures Lab cohort. Place Trust, Driver’s Seat Cooperative, Drivers Coop and Digital Democracy will all get $100,000 grants as well as access to Mozilla Fellows and a network of experts who can help them build out their platforms. The apps will also get support to implement specific user-centric data governance features, policies, and practices. Mehan Jayasuriya, senior program officer at Mozilla, said the four projects “will pilot new models for data stewardship with existing communities and provide real-world examples of how users and communities can be given greater ownership and control over their own data.”Place Trust is a non-profit working to create maps of cities that are “open, reliable and accessible and place them in a perpetual legal trust in the public interest.” Digital Democracy is an organization using an app called Mapeo to collect and share evidence of human and environmental rights abuses. New York City-based Driver’s Coop is a collectively-owned rideshare app with more than 5,000 drivers and 40,000 riders already using it. Driver’s Seat — a cooperative owned and controlled by rideshare and delivery drivers — is trying to put power back into the hands of on-the-ground workers, giving drivers more data and insights into how they can make money. Champika Fernando, lead at the Data Futures Lab at Mozilla, told ZDNet that Mozilla has worked to raise consumer awareness about the data collection practices of many of the most popular apps. But now they wanted to promote and support alternatives that respect data privacy.The challenge, according to Fernando, is that it is extremely lucrative for apps like Uber, GrubHub, and others to collect as much information as possible, knowing that someone somewhere will eventually pay money for it. 

“Today we have a few large actors that collect the majority of the data and share or steward that data in ways that benefit their own interests,” Fernando said, noting that the four new members of the latest cohort needed support to carry out their missions. “Organizations like these are not getting traditional investment attention because they are thinking about this in a totally different way. That’s not the easiest path forward in terms of scaling and growth. So one of the roles the lab is trying to play is to invest financially in them but also bring in other funders and philanthropic funding to start with.”The Data Futures Lab was launched in 2020 as a way to support people around the world who are building products and services that aim to disrupt a digital economy that has become dependent on sucking up as much data as possible. A recent report from Surfshark went through all of the most popular rideshare apps, finding that Uber and many other apps collect troves of data that have largely nothing to do with getting from one place to another. 
SurfShark
Hays Witt, co-founder and CEO at the Driver’s Seat Cooperative, told ZDNet that drivers for these apps were initially sold on the promise of being able to make their own hours and earn as much as they wanted. But many drivers for rideshare apps and food delivery platforms quickly realized they are at the mercy of the platforms that provide little information other than where to go and when. “Drivers told us they want to be able to own their data make choices at an individual level. I want data that I can trust about my earnings, about my expenses. I want data that helps me evaluate all of the different offers that I’m getting bombarded with from the platforms and make decisions that are in my own interest based on my own data. Drivers also want a way to talk about their data together to see, not just on an individual level, but how they fit into the city that they’re working in. How am I doing versus other drivers?” Witt explained. Witt added that drivers deal with loneliness and are looking to know whether their experiences are similar to others or are outliers. They want more information that compares them to other drivers so they can make changes to how they operate. “What we’ve created is a technology platform and an organizational container for that platform to allow drivers to collect data about their work, interpret it themselves, and share it with each other in ways that they choose. They can learn from it in ways that improve their work experience at a really nuts-and-bolts level,” Witt said. “A driver uses our app to collect and share data about their trips and about their earnings. They get insights back in the app that help them see what their true pay is and how that changes based on decisions they make about the platform they work on or time of day.”  More

Argo CD released a patch this week for a zero-day vulnerability enabling attackers to access sensitive information like passwords and API keys.The vulnerability was discovered by Apiiro’s Security Research team and explained in a blog post released alongside the patch. Argo CD is a popular open source Continuous Delivery platform, and the vulnerability — tagged as CVE-2022-24348 with a CVSS score of 7.7 — “allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope.” 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The actors can then read and exfiltrate data residing in other applications, according to Apiiro. On GitHub, the company said all versions of Argo CD are vulnerable to the path traversal bug and noted that it is “possible to craft special Helm chart packages containing value files that are actually symbolic links, pointing to arbitrary files outside the repository’s root directory.””If an attacker with permissions to create or update Applications knows or can guess the full path to a file containing valid YAML, they can create a malicious Helm chart to consume that YAML as values files, thereby gaining access to data they would otherwise have no access to,” Argo CD explained.”The impact can especially become critical in environments that make use of encrypted value files (e.g. using plugins with git-crypt or SOPS) containing sensitive or confidential data, and decrypt these secrets to disk before rendering the Helm chart. Also, because any error message from helm template is passed back to the user, and these error messages are quite verbose, enumeration of files on the repository server’s file system is possible.”
Apiiro

There are no workarounds for the issue, and Argo CD urged its users to update their installations. Patches have been released for Argo CD v2.3.0, v2.2.4, and v2.1.9.Apiiro explained that it notified Argo CD of the issue on January 30, and the two sides worked on resolving it over the last week. Vulcan Cyber CEO Yaniv Bar-Dayan said they are generally seeing more advanced persistent threats that leverage zero-day and known, unmitigated vulnerabilities in software supply chain software, such as Argo CD. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

For years, known, unmitigated vulnerabilities have contributed more than any other factor to mounting cyber risk, Bar-Dayan added.”But hackers are always looking for the most-effective path of least resistance to attain their objectives. A recent rash of advanced persistent threats that leverage a supply chain zero-day vulnerability daisy chained with known, unmitigated vulnerabilities, demonstrates how hackers are becoming increasingly sophisticated and opportunistic. Obviously the SolarWinds hack was the most notorious APT to use the software supply chain as the main attack vector,” Bar-Dayan explained. “In the event of a breach, it is unfair to put all the blame on the software supply chain vendor considering how bad actors often use known, unaddressed vulnerabilities that should have been mitigated by IT security teams well before the software supply chain hack became a reality. “We need to do better as an industry before our cyber debt sinks us. Apiiro and Argo have taken the right steps to help Argo customers reduce the risk associated with CVE-2022-24348, but now IT security teams must collaborate and do the work to protect their development environments and software supply chains from threat actors.” More

A group of Republican senators on the Finance Committee have formally called for the Internal Revenue Service (IRS) to provide more information about its plan to incorporate facial recognition provider ID.me into its processes.In November, the agency announced that by the summer of this year, taxpayers will need to have an ID.me account in order to access certain IRS online resources. The IRS signed an $86 million contract with ID.me, according to the Washington Post, which noted that more than 70 million Americans who filed for unemployment insurance, pandemic assistance grants, child tax credit payments, or other services that have already been scanned.In order to check on the status of a return, view balances and payments received, obtain a transcript, and enter into an online payment agreement, people will need to create an ID.me account and give the private company either a government ID, passport, birth certificate, W-2 form, social security card, a bill of some kind or a “selfie,” among a host of other private documents they may ask for. The plan has caused significant outrage among many privacy experts who question why a private company that already has a track record of lying about its platform would be hired for something as sensitive as access to the IRS. A number of people, including security researcher Brian Krebs, have already reported issues with the platform. Jay Stanley, senior policy analyst at the ACLU, added that ID.me would not be subject to various oversight rules like the Freedom of Information Act and the Privacy Act of 1974, something the letter also notes.The letter — signed by 15 Republican senators and addressed to IRS Commissioner Chuck Rettig — explains that using ID.me “appears to subject taxpayers to the terms of three separate agreements filled with dense legal fine print: a privacy policy agreement, terms of service agreement, and a ‘Biometric Data Consent and Policy.'” They also expressed concern about the possibility of cyberattacks leaking the biometric data of millions of Americans who are being forced to entrust a private company with sensitive data. 

“There is ample evidence to be very concerned about an IRS contractor’s ability to safely manage, collect and store this unprecedented level of confidential, personal data. To put this in perspective, in 2019 the IRS estimated it faced 1.4 billion cyber-attacks annually. It is highly likely, with personal information on a reported 70 million individuals, including biometric data, ID.me could be a top target for cyber-criminals, rogue employees, and espionage,” the Senators wrote.”The IRS has unilaterally decided to allow an outside contractor to stand as the gatekeeper between citizens and necessary government services. The decision millions of Americans are forced to make is to pay the toll of giving up their most personal information, biometric data, to an outside contractor or return to the era of a paper-driven bureaucracy where information moves slow, is inaccurate, and some would say is processed in ways incompatible with contemporary life. Of concern, also, is that ID.me is not, to our knowledge, subject to the same oversight rules as a government agency, such as the Freedom of Information Act, the Privacy Act of 1974, and multiple checks and balances.”The letter includes several questions about ID.me and how the IRS decided to hire the company for this process. They demand answers to the questions by February 27 and also ask for a briefing on the issue. The White House and IRS did not respond to requests for comment. None of the Democratic senators on the Finance Committee responded to requests for comment outside of Senator Ron Wyden.Wyden’s spokesperson would not send along any statement or comments about the issue, only pointing to two tweets he has previously sent out. 

I’m very disturbed that Americans may have to submit to a facial recognition system, wait on hold for hours, or both, to access personal data on the IRS website. While e-filing returns remain unaffected, I’m pushing the IRS for greater transparency on this plan. https://t.co/8l7m2OiPOI— Ron Wyden (@RonWyden) January 21, 2022

Representative Ted Lieu also sent out a tweet about the issue, calling it a “very, very bad idea by the IRS.” “It will further weaken Americans’ privacy. And facial recognition is less accurate for darker skin individuals. The IRS needs to reverse this Big Brother tactic, NOW,” Lieu said. Fight for the Future, Algorithmic Justice League, EPIC, and other civil rights organizations launched a website this week — called Dump ID.me — allowing people to sign a petition against the IRS plan. Caitlin Seeley George, campaign director at Fight for the Future, told ZDNet that they are thankful more legislators are taking action and questioning how the IRS’ plan will impact their constituents. “The letter from these Senators raises a number of important questions about how we got to this point where millions of people could have to hand their biometric information to a private company and put their most sensitive information in danger in order to access essential governmental services,” Seeley George said. “And while these are critical questions that must be answered in order to ensure the IRS is doing its due diligence to fully protect taxpayers, there is no process that involves facial recognition or any biometric verification process that will ensure the safety of peoples’ information and rights.”Facial recognition is already used widely across multiple government agencies, alarming many who point to dozens of studies proving how flawed the technology is, particularly for people of color and women. Even the National Institute of Standards and Technology has found a higher rate of false positives on one-to-one algorithms for Asian and African American faces.Fast Company reported that ID.me is now used by the Department of Veterans Affairs, the Social Security Administration, and several other federal agencies. The ACLU’s Stanley noted to ZDNet that dozens of state agencies across the country also mandate facial recognition in order to access government benefits.  More

According to a study released by Cisco, investments in data privacy among Brazilian organizations are falling below the global average. The study interviewed 4,900 professionals in 27 countries and found that Brazilian firms invest a yearly average of $2.2 million in data privacy, compared with the global average of $2.7 million a year.

On the other hand, the Cisco data privacy benchmark found that 94% of the Brazilian professionals surveyed consider privacy a crucial element of the overall business strategy. This compares with the global average of 90%. Moreover, 91% of the Brazilian respondents believe customers would not buy from companies that do not protect customer data. Respondents estimate their return on investment (ROI) concerning their data privacy initiatives is 1.8 times the spend on average. According to the benchmark, this remains very attractive, even if a little lower in relation to last year, when participants reported ROI of 1.9 times the spend. The study attributed the slight decrease to the ongoing need to respond to the pandemic, the need to adapt to new legislation, the uncertainty about international data transfers, and increased requests for data localization.Regarding the impact of requirements around data localization, 85% of Brazilians stated that this translates into high costs. This compares with the effects reported by professionals in other countries, such as the United States (87%) and China (92%). Concerning the impact of privacy laws, 83% said regulations on that front had a positive effect, while 3% stated the rules harmed business overall. In relation to which part of the IT organization should be accountable for privacy, only 25% of Brazilian security professionals said it is part of their remit. When it comes to data usage, 96% of the study’s Brazilian respondents recognize that their organization has a responsibility to only use data responsibly, compared with the global average of 92%. Additionally, 92% of those polled in Brazil believe their organizations have processes to ensure that automated decision-making is done according to customer expectations, compared with 87% of global respondents. More

Attackers have increasingly targeted the Olympics with cyberattacks. The 2022 Winter Olympics kick off in Beijing this week, and this trend will likely continue. In fact, this Tuesday, the FBI issued a warning about possible cyber activities (such as distributed denial of service attacks, ransomware, phishing attacks, and more) during the Olympics. Following the success of the 2020 Summer Olympics in Tokyo, however, we don’t expect the bad guys to win, thanks to the preparation that goes into defending the Games. Adopting a new regimen 

The 2020 Summer Olympics were somewhat similar to the 1996 Summer Olympics, in which the US gymnastics team brought home its first gold medal in the team finals. For years, USA Gymnastics fought to be on top, ultimately to be swept away by the Russians (previously the USSR). It wasn’t until the organization adopted a similar training regimen that the team finally made their way to the top of the podium. Security and risk pros must adopt a regimen to strengthen cyber-defenses to avoid being swept away. A cyberattack on the opening of the 2018 Winter Olympics in Pyeongchang resulted in the IPTVs (Internet Protocol televisions) malfunctioning, main servers being shut down (preventing attendees from being able to access their tickets), a Wi-Fi outage in the Olympic Stadium, and film drones unable to deploy. However, the 2020 Tokyo Summer Olympics (held in 2021, thanks to COVID-19) are viewed as a cybersecurity success story. Also: The definition of modern Zero TrustIn the months leading up to the Tokyo Olympics, intelligence agencies warned of cyberattacks and the need to exercise preventive measures (almost like implementing a new training regimen) to ensure that there wouldn’t be a repeat, or worse, of the 2018 Winter Games (and another loss of a medal) due to the market size of such an event. Luckily, the International Olympic Committee (IOC) and local organizers of the Tokyo Games didn’t need to be convinced to take major security measures ahead of the Games. They implemented strong proactive measures to prevent an attack, including the hiring of a third-party firm with a dedicated team of 200 cybersecurity specialists. While a minor incident did occur (think of Kerri Strug’s infamous vault), the cybersecurity team thwarted over half a billion cyberattacks on the Summer Games, which saw over 2.5 times the amount of attempts than the 2012 London Olympics. The success of thwarting so many cyberattacks and the implementation of proactive security protocols would have clinched a gold medal if one could be awarded for cybersecurity. Ready yourselves for Olympic-related cyberattacks 

So what does this all mean for the 2022 Winter Games? Will we see another cybersecurity gold medal? We will likely see a spike in attempted attacks — specifically, ransomware — against the Games themselves. It is also likely that individuals and organizations will see an uptick in phishing attempts and scams, emails masquerading as official Olympics communications, and illegitimate streaming services posing a threat to people trying to watch online. Also: Software development will adapt to a new normal in 2022The Olympics are a worldwide market and could provide lucrative opportunities for hackers. If the 2018 and 2020 Games have taught us anything, however, we know that the IOC and local organizers will be well prepared to thwart any attempts that come their way. Hopefully, that means the clinching of another medal (maybe this time for Team USA Hockey). For security and risk leaders, use the 2022 Winter Games as a reason to warn your users about potential threats, review your security procedures, and shore up your defenses. Just like the Olympians we celebrate in the Games; cybersecurity pros need a training regime to be ready themselves for competition. Help your home team clinch their 2022 cybersecurity gold medal. VP Research Director Joseph Blankenship wrote this post, and it originally appeared here.  More

Intuit released two warnings this week about different types of phishing emails being sent to their customers. 

In two separate security notices on Tuesday and Wednesday, the company said it has received reports from customers about two kinds of phishing emails they were getting. Intuit urged recipients not to click on any of the links or attachments, not to reply to the email, and to delete the email. If you have already clicked on a link in the email or downloaded a file from the email, the company said you should delete the download, scan your system with an “up-to-date anti-virus program,” and change your passwords. “Intuit has recently received reports from customers that they have received emails similar to the one below. This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit,” Intuit explained. 
Intuit
The earlier warning shared a copy of another type of phishing email customers received. 
Intuit
Erich Kron, security awareness advocate at KnowBe4, said these attacks typically tend to ramp up during tax season. The attacks generally attempt to trick people into logging into their accounts on a fake website, allowing crooks to steal the user’s credentials.  Kron suggested that anyone who has received these types of emails should go directly to the official website and log into their account, where any notifications or issues with the account would be made obvious, as opposed to clicking on links straight from emails. 

“In addition, on any website where you were entering a username and password, you should check the URL bar to ensure you are at the legitimate organization’s website,” Kron said. Tripwire’s Tim Erlin added that phishing continues to be a popular means of attack because it continues to work. It only takes one user to click in order for the phishing campaign to be effective for the attacker, Erlin said, noting that it’s very difficult for an organization to prevent phishing attempts because they don’t require any compromise of infrastructure that organization controls. “While we try to addressing phishing with technological solutions, the problem remains a primarily human one,” he explained.The IRS released a similar warning last week, reminding taxpayers “to be aware that criminals continue to make aggressive calls posing as IRS agents in hopes of stealing taxpayer money or personal information.” More

A PowerPoint add-on is being used to spread malicious files, according to the findings of security company Avanan.Avanan’s Jeremy Fuchs said the .ppam file — which has bonus commands and custom macros — is being used by hackers “to wrap executable files.”

The company began seeing the attack vector in January, noting that the .ppam files were used to wrap executable files in a way that allows hackers to “take over the end-user’s computer.” Most of the attacks are coming through email. “In this attack, hackers are showing a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain capabilities. However, this file is actually wrapping a malicious process whereby the registry setting will be overwritten,” Fuchs said. “Using .ppam files… hackers can wrap, and thus hide, malicious files. In this case, the file will overwrite the registry settings in Windows, allowing the attacker to take control over the computer, and keep itself active by persistently residing in the computer’s memory.”
Avanan
The hackers found a way around security tools because of how infrequently the .ppam file is used. Fuchs added that the attack method could be used to spread ransomware, pointing to an incident in October where a ransomware group did use the file type during an attack. Aaron Turner, vice president of SaaS posture at Vectra, said the ubiquity of Microsoft’s collaboration suite makes it a favorite of attackers, and the latest PowerPoint attack is the most recent example of more than 20 years of crafty Microsoft Office documents delivering exploits. 

“For organizations that rely on Exchange Online for their email, they should review their anti-malware policies configured in their Microsoft 365 Defender portal. Alternatively, if there is a high risk of attack that needs to be addressed outside of the Defender policies, specific attachment file types can be blocked in a dedicated .ppam blocking policy as an Exchange Online mail flow policy,” Turner said. “When we run our posture assessment scan against Exchange Online, we check the configured policy and compare it to our recommendation of blocking over 100 different file types. As the result of this research, we’ll be adding .ppam to our list of file extensions to block due to the relative obscurity and low use of that particular PowerPoint file extension.” More