Information Technology

StackCommerce
When you give your partner the gift of learning, you also provide valuable opportunities. And we have 10 amazing e-learning course bundles that are an extra 15% off during our Valentine’s Day Sale. Just use coupon code VDAY2022 at checkout to score your partner the opportunity to learn a new skill.This bundle has 18 courses, but you can qualify for a well-paid ethical hacking position after completing the first one. And you don’t need any tech experience whatsoever to take it.Get The All-In-One 2022 Super-Sized Ethical Hacking Bundle for $36.54 (reg. $3,284) with code VDAY2022.With this bundle, you can train to become certified to teach English as a foreign language. It also includes lessons on how to develop your coaching and mentoring prowess, among other skills.Get The Complete 2021 TEFL Certification Training Bundle for $33.99 (reg. $250) with code VDAY2022.First, this bundle teaches the fundamentals of blockchain technology and how to use it to drive more revenue. You’ll find training material on how to become a Certified Blockchain Solutions Architect (CBSA) or Certified Blockchain Developer (CBDH).Get The Blockchain Bootcamp Certification Training Bundle for $16.99 (reg. $297) with code VDAY2022.

This course provides an overview of cryptocurrency and explains how to open accounts. Then it covers the most popular methods of generating passive income from cryptocurrency.Get Cryptocurrency Wealth Creation: Staking, Lending & Trading Course for $16.99 (reg. $200) with code VDAY2022.This bundle thoroughly covers Bitcoin and cryptocurrency trading. But you will also learn about non-fungible tokens (NFTs), including how to create an NFT of your own.Get The Complete NFT & Cryptocurrency Wealth Building Masterclass Bundle for $25.49 (reg. $1,200) with code VDAY2022.The US government created the Risk Management Framework to make cyber supply chain management more secure. This course will teach you the process of qualifying for a range of government cybersecurity positions.Get NIST Cybersecurity & Risk Management Frameworks for $33.15 (reg. $295) with code VDAY2022.The 2022 Ultimate Cybersecurity Analyst Preparation Bundle provides training for a wide variety of cybersecurity certifications. Start with one, and each one afterward will advance your career another step up.Get The 2022 Ultimate Cybersecurity Analyst Preparation Bundle for $25.49 (reg. $1,600) with code VDAY2022.Python is one of the most popular programming languages and easiest to learn. These 12 courses cover an entire career of Python training, but you can start applying for positions after completing just one. Python skills are excellent for remote work, so you may also want to learn a new language or two if you end up working abroad.Get The 2022 Premium Python Programming PCEP Certification Prep Bundle for $29.74 (reg. $2,400) with code VDAY2022.This is the ultimate e-learning bundle. You get more than 1,000 courses covering a wide variety of industries with StackSkills, another 800 tech courses from Stone River, and over 90 specialized courses on cybersecurity from Infosec4TC, which has an impressive rating of 4.8 out of 5 stars on Trustpilot.Get The Ultimate Lifetime Bundle of StackSkills + Infosec4TC + Stone River for $97.75 (reg. $13,994) with code VDAY2022.Cybersecurity is more crucial than ever, and these six courses will help you prepare for the IT certifications needed to pursue a career in this field. Each course focuses on CompTIA certifications, ensuring you’ll develop a vendor-neutral understanding of IT and security.Get The 2022 Premium CompTIA CyberSecurity & Security+ Exam Prep Bundle for $25.50 (reg. $1,200) with code VDAY2022.

More ZDNet Academy Deals More

One of Europe’s biggest car dealers, Emil Frey, was hit with a ransomware attack last month, according to a statement from the company. 

ZDNet Recommends

The Swiss company showed up on the list of victims for the Hive ransomware on February 1 and confirmed that they were attacked in January. “We have restored and restarted our commercial activity already days after the incident on January 11, 2022,” a spokesperson said, declining to answer more questions about whether customer information was accessed. The company — which has about 3,000 employees — generated $3.29 billion in sales in 2020 thanks to a variety of automobile-related businesses. It was ranked as the number 1 car dealership in Europe based on revenue and the total number of vehicles for sale. The FBI spotlighted the Hive ransomware group in August 2021 after their members attacked dozens of healthcare organizations last year. In 2021, Hive attacked at least 28 healthcare organizations, including Memorial Health System, which was hit with a ransomware attack on August 15. The FBI alert explains how the ransomware corrupts systems and backups before directing victims to a link to the group’s “sales department” that can be accessed through a TOR browser. The link brings victims to a live chat with the people behind the attack, but the FBI noted that some victims have even been called by the attackers demanding ransoms. 

Most victims face a payment deadline ranging between two and six days, but others were able to extend their deadlines through negotiation. On Wednesday, the FBI, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC) released a warning indicating that a growing wave of increasingly sophisticated ransomware attacks poses a threat to critical infrastructure and organizations around the world.”We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim,” said CISA Director Jen Easterly.  More

The US Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of known exploited vulnerabilities this week, adding 15 vulnerabilities based on evidence that threat actors are actively exploiting them.The list includes a Microsoft Windows SAM local privilege escalation vulnerability with a remediation date set for February 24. Vulcan Cyber engineer Mike Parkin said the vulnerability — CVE-2021-36934 — was patched in August 2021 shortly after it was disclosed. “It is a local vulnerability, which reduces the risk of attack and gives more time to deploy the patch. CISA set the due date for Federal organizations who take direction from them, and that date is based on their own risk criteria,” Parkin said. “With Microsoft releasing the fix 5 months ago, and given the relative threat, it is reasonable for them to set late February as the deadline.”The rest of the list covers a range of Microsoft, Apache, Apple, and Jenkins vulnerabilities with remediation dates of August 10.While some experts questioned CISA’s new additions to the list, Netenrich’s John Bambenek explained that anything that provides a straightforward path to elevated privileges and is being exploited by the kind of threat actors CISA is concerned about needs to be remediated immediately.  
CISA
Pravin Madhani, CEO of K2 Cyber Security, noted that more than half of the vulnerabilities are classified as remote code execution (RCE) vulnerabilities.  

“RCE is one of the most dangerous types of vulnerabilities as it gives the attacker the ability to run almost any code on the hacked site. RCE, and other flaws such as XSS (Cross Site Scripting), have long been included on the OWASP Top 10 list, so why aren’t companies better equipped to protect against these attacks?” Madhani asked. Viakoo CEO Bud Broomhead said he believes cybercriminals are using older vulnerabilities in exploits against new device targets, specifically IoT devices. As an example, Broomhead mentioned vulnerabilities that enable man-in-the-middle (MitM) attacks. “Virtually all IT systems are protected against this threat, but IoT systems often are not, leading threat actors to revisit these older vulnerabilities knowing that network-connected IoT devices can be exploited through them,” Broomhead said. “This would lead to a vulnerability discovered years ago being added recently to the CISA catalogue. With close to 170,000 known vulnerabilities priority should be given to the ones that are causing real damage right now, not ones that in theory could cause damage.” More

Google announced this week that its Vulnerability Reward Programs doled out $8,700,000 for vulnerability rewards in 2021. Researchers donated $300,000 of their rewards to a charity of their choice, according to a blog from Sarah Jacobus of Google’s Vulnerability Rewards Team.For Android vulnerabilities, payouts doubled compared to 2020, with almost $3 million being rewarded to researchers for a variety of bugs. The company also handed out its largest Android payout ever at $157,000. The company also launched the Android Chipset Security Reward Program, an invite-only program for researchers looking through manufacturers of certain popular Android chipsets. The program paid $296,000 for over 220 unique security reports, specifically shouting out Aman Pandey of the Bugsmirror Team, Yu-Cheng Lin, and researcher gzobqq@gmail.com, who secured the $157,000 award. The company noted that it is also offering $1,500,000 for bugs found in the Titan-M Security chip used in their Pixel device. 
Google
When it comes to Chrome, the company set a new record as well. Google gave out $3.3 million in VRP rewards to 115 researchers that found 333 unique Chrome security bugs. “Of the $3.3 million, $3.1 million was awarded for Chrome Browser security bugs and $250,500 for Chrome OS bugs, including a $45,000 top reward amount for an individual Chrome OS security bug report and $27,000 for an individual Chrome Browser security bug report,” Jacobus said. 

“Of these totals, $58,000 was awarded for security issues discovered by fuzzers contributed by VRP researchers to the Chrome Fuzzing program. Each valid report from an externally provided fuzzer received a $1,000 patch bonus, with one fuzzer report receiving a $16,000 reward.”Jacobus also spotlighted Rory McNamara, Leecraso, and Brendon Tiszka for their work on Chrome bugs. Google Play paid out $550,000 in rewards to more than 60 security researchers. The tech giant was also eager for exploit research on their kCTF cluster, raising their reward amounts in November from up to $10,000 to up to $50,337. Several participants brought in $175,685 in rewards. The Google Cloud Platform awarded Ezequiel Pereira the top prize for finding an RCE in Google Cloud Deployment Manager, awarding him $133,337. In total, the Google Cloud Platform paid winners of the 2020 competition $313,337. Google said they partnered with researchers to find and fix thousands of vulnerabilities throughout 2021 and launched bughunters.google.com to help move the effort along. The platform gives researchers a place to submit bugs for Google, Android, Chrome, Google Play, and more. The platform gamifies the bug hunting process by offering per-country leaderboards, company swag, awards, and more. The company also explained that the Vulnerability Research Grant program awarded $200,000 in grants to more than 120 security researchers around the world. “With the launch of the new Bug Hunters portal, we plan to continue improving our platform and listening to you – our researchers – on ways we can improve our platform and Bug Hunter University,” Jacobus said. “Thank you again for making Google, the Internet, and our users safe and secure!” More

Google’s Project Zero released a report covering its work in 2021. It found that vendors took an average of 52 days to fix reported security vulnerabilities.Between 2019 and 2021, Project Zero researchers reported 376 issues to vendors under their 90-day deadline. Of those 376 issues, more than 93% of these bugs have been fixed and over 3% have been marked as “WontFix” by the vendors, according to Project Zero. The researchers added that 11 other bugs remain unfixed and 8 have passed their deadline to be fixed. Microsoft, Apple, and Google account for 65% of the bugs discovered. Microsoft led the way with 96 bugs, followed by 85 from Apple and 60 from Google.”Overall, the data show that almost all of the big vendors here are coming in under 90 days, on average. The bulk of fixes during a grace period comes from Apple and Microsoft (22 out of 34 total). Vendors have exceeded the deadline and grace period about 5% of the time over this period,” Project Zero researchers said. “In this slice, Oracle has exceeded at the highest rate, but admittedly with a relatively small sample size of only about 7 bugs. The next-highest rate is Microsoft, having exceeded 4 of their 80 deadlines. [The] average number of days to fix bugs across all vendors is 61 days.”
Google
Google also provided other statistics showing that the overall time to fix has consistently been decreasing, particularly for vendors like Microsoft, Apple, and Linux. All three reduced their time to fix between 2019 and 2020 while Google sped up in 2020 and slowed down again in 2021. 

In 2021, they noted that only one 90-day deadline was exceeded, a stark decrease compared to the average of 9 per year in the other two years. The researchers added that the grace period was used 9 times — with half being by Microsoft — versus the slightly lower average of 12.5 in the other years.When it comes to mobile vulnerabilities, iOS devices had 76 total bugs, followed by 10 for Samsung Android devices and 6 for Pixel Androids. For browsers, Chrome had 40 bugs and an average time to patch of 5.3 days. WebKit had 27 bugs and an 11.6-day average time to patch while Firefox had 8 bugs and a 16.6-day average time to fix.”Chrome is currently the fastest of the three browsers, with time from bug report to releasing a fix in the stable channel in 30 days. Firefox comes in second in this analysis, though with a relatively small number of data points to analyze. Firefox releases a fix on average in 38 days,” the researchers said.”WebKit is the outlier in this analysis, with the longest number of days to release a patch at 73 days. Their time to land the fix publicly is in the middle between Chrome and Firefox, but unfortunately, this leaves a very long amount of time for opportunistic attackers to find the patch and exploit it prior to the fix being made available to users.”Project Zero said the findings were a positive development, showing that many vendors are fixing most of the bugs they find. Vendors are also moving faster to rectify issues, with Google attributing it to responsible disclosure policies that have become the standard in the industry.Google urged all vendors to focus on a “more frequent patch cadence for security issues.””We encourage all vendors to consider publishing aggregate data on their time-to-fix and time-to-patch for externally reported vulnerabilities. Through more transparency, information sharing, and collaboration across the industry, we believe we can learn from each other’s best practices, better understand existing difficulties and hopefully make the internet a safer place for all,” Project Zero said. More

Digital scheduling platform FlexBooker has been accused of exposing the sensitive data of millions of customers, according to security researchers at vpnMentor.The researchers said the Ohio-based tech company was using an AWS S3 bucket to store data but did not implement any security measures, leaving the contents totally exposed and easily accessible to anyone with a web browser. The 19 million exposed files included full names, email addresses, phone numbers and appointment details. FlexBooker did not respond to requests for comment from ZDNet but vpnMentor said they contacted the company and Amazon about the issue.”We did contact them in January, to which they sent what seemed to be an automatic reply about the leak that affected them in December. We tried to explain it was a new breach, but didn’t hear back,” a vpnMentor spokesperson said. “Which is why we decided to contact AWS directly (as Flexbooker wrote on their site they were working together with Amazon), and soon after the bucket was secured (Amazon probably informed Flexbooker, as Amazon isn’t supposed to do it themselves).”In January, FlexBooker apologized for a data breach that involved the sensitive information of 3.7 million users. At the time, the company told ZDNet a portion of its customer database had been breached after its AWS servers were compromised on December 23. FlexBooker said their “system data storage was also accessed and downloaded” as part of the attack. They added they worked with Amazon to restore a backup and they were able to bring operations back in about 12 hours. 

“We sent a notification to all affected parties and have worked with Amazon Web Services, our hosting provider, to ensure that our accounts are re-secured,” a spokesperson said. “We deeply apologize for the inconvenience caused by this issue.”Researchers at vpnMentor said they were not aware of this data breach as they scanned the internet for potential vulnerabilities in December. By January 23, vpnMentor confirmed the latest issue and contacted FlexBooker on January 25. Amazon was contacted the same day and by January 26, Amazon had resolved the issue. “Flexbooker’s misconfigured AWS account contained over 19 million HTML files which exposed what seemed to be automated emails sent via FlexBooker’s platform to users. This means potentially up to 19 million people were exposed, depending on how many people made multiple bookings on a website using Flexbooker,” the researchers said in the report. “Each email appeared to be a confirmation message for bookings made via the platform, and exposed both the FlexBooker account holder and the person(s) who made a booking. For example, a plumbing supply company was using FlexBooker to schedule consultations between employees and customers. In this instance, PII data for both people were exposed.”One of the appointments exposed by FlexBookers platform. 
vpnMentor
The leaks are alarming because they included links with unique codes that could be used to create cancellation links, edit links, and view the appointment details that were hidden in the emails.The S3 bucket was also live when vpnMentor discovered it, meaning it was constantly being updated with new information, exposing more and more people every day. vpnMentor included screenshots of the appointments, which ranged from COVID-19 tests to pet euthanizations and babysitting appointments. The babysitting emails exposed the sensitive information of children as well. “A few days after the breach was secured, we observed hackers on the dark web once again selling private data apparently owned by Flexbooker. It’s not clear if this was from the previous breach, the one our team discovered, or a mix of both. However, it shows the risk for companies who don’t adequately secure their users’ data and how quickly hackers can get stolen data out into the open,” the researchers explained. In January, Australian security expert Troy Hunt, who runs the Have I Been Pwned site that tracks breached information, said the first trove of stolen data included password hashes and partial credit card information for some accounts. Hunt added that the data “was found being actively traded on a popular hacking forum.”A FlexBooker spokesperson confirmed Hunt’s report, telling ZDNet that the last 3 digits of card numbers were included in the breach but not the full card information, expiration date, or CVV.  More

Third-party risk management (TPRM) is high on the list of business priorities and risk management priorities, and that’s a good thing. 

Despite predictions in the early days of the COVID-19 pandemic that firms would rein in outsourcing strategies, the third-party ecosystem continues to grow, smaller vendors and suppliers remain cybersecurity targets, the global regulatory machine continues to churn out new requirements, and disruption in the value chain has become a regular occurrence. For TPRM vendors, that’s great news because, unlike in the years following the Great Recession, firms aren’t pulling back on security and risk investment. What’s in a name? Is it TRPM or IT VRM? To-may-to, to-mah-to, right? Not exactly. Here’s some context on third-party risk nomenclature. Financial services use “third parties” to align with OCC (Office of the Comptroller of the Currency) language, healthcare references “business associates” to align with HIPAA, and manufacturing commonly uses “supplier.” Everyone else gravitates to the term “vendor” because much of what we now call third-party risk management started out with (and, in some cases, is still mostly focused on) software vendors and IT services providers, where the primary concern is about complying with the IT control frameworks/standards. Also: The definition of modern Zero TrustForrester uses “third party” to refer to these entities, plus nontraditional third parties such as foreign affiliates, external legal counsel, PR firms, contingent or gig workers, and even your board of directors. If it’s not an employee, then it’s a third party. The TPRM market is not “one size fits all” 

Several types of vendors support the TPRM market, each specializing in one or more risk domains, industries, or levels of customer maturity. For us, the third-party risk is more than a cybersecurity rating or a due diligence tool. Forrester defines this category as: Platforms that identify assess, score, monitor, and report on risks to the organization stemming from their third-party relationships. They support analysis, treatment, and workflow for risk mitigation at every stage of the third-party lifecycle, including: 1) sourcing/procurement, 2) due diligence, 3) selection, 4) onboarding, 5) ongoing risk monitoring, and 6) termination/offboarding. There’s no shortage of options when it comes to managing the risk and compliance of third-party entities. The new Forrester report, Now Tech: Third-Party Risk Management Platforms, Q1 2022, categorizes 22 of the top TPRM technologies into four segments based on their capabilities: Dedicated technologies. These provide robust capabilities throughout the third-party risk management lifecycle. They offer a combination of domain expertise and breadth of functionality to support all levels of TPRM maturity. GRC platforms. Governance, risk, and compliance (GRC) platforms offer robust support for a wide range of risk and compliance use cases in addition to TPRM. Exchange sponsors. Exchange sponsors offer access to prepopulated and validated assessment results, multiple types of documentation and evidence, and analytics. Vertical-focused vendors. These providers have the depth of expertise of dedicated technologies, the range of capabilities of GRC platforms, and often provide supporting services but are singularly focused on industries with complex third-party compliance requirements. Each segment contains vendors that will be a good fit for different types of buyers. This post was written by Senior Analyst Alla Valente, and it originally appeared here.  More

If you didn’t already upgrade to iOS 15.3, now might be a good time to do it because of a security flaw Apple has now patched.Apple released iOS 15.3 earlier this month but it didn’t include one fix for a security flaw it has now addressed in iOS 15.3.1. Details from Apple, as usual, are scant but it gave enough to suggest it is a serious bug because it can lead to malicious code execution simply by users opening a web page in the Apple Safari browser. “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple said.   The update is available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation.Since the bug affects WebKit, the browser engine for Safari, it also affects macOS. Apple also released macOS Monterey 12.2.1 to address the issue on Macs.  The bug, like many security flaws, was a memory flaw that code written in C++ is particularly prone to. 

According to Microsoft and Google, about 70% of a security issues are caused by memory safety problems and those issues are tied to flaws written in C and C++, arguably the most important family of programming languages that have been used for decades in multi-million line infrastructure systems like Windows, WebKit, Chrome, Android, Firefox, the Linux kernel and now embedded systems for Internet of Things devices. More