More stories

  • in

    Google: Vendors took an average of 52 days to fix reported security vulnerabilities

    Google’s Project Zero released a report covering its work in 2021. It found that vendors took an average of 52 days to fix reported security vulnerabilities.Between 2019 and 2021, Project Zero researchers reported 376 issues to vendors under their 90-day deadline. Of those 376 issues, more than 93% of these bugs have been fixed and over 3% have been marked as “WontFix” by the vendors, according to Project Zero. The researchers added that 11 other bugs remain unfixed and 8 have passed their deadline to be fixed. Microsoft, Apple, and Google account for 65% of the bugs discovered. Microsoft led the way with 96 bugs, followed by 85 from Apple and 60 from Google.”Overall, the data show that almost all of the big vendors here are coming in under 90 days, on average. The bulk of fixes during a grace period comes from Apple and Microsoft (22 out of 34 total). Vendors have exceeded the deadline and grace period about 5% of the time over this period,” Project Zero researchers said. “In this slice, Oracle has exceeded at the highest rate, but admittedly with a relatively small sample size of only about 7 bugs. The next-highest rate is Microsoft, having exceeded 4 of their 80 deadlines. [The] average number of days to fix bugs across all vendors is 61 days.”
    Google
    Google also provided other statistics showing that the overall time to fix has consistently been decreasing, particularly for vendors like Microsoft, Apple, and Linux. All three reduced their time to fix between 2019 and 2020 while Google sped up in 2020 and slowed down again in 2021. 

    In 2021, they noted that only one 90-day deadline was exceeded, a stark decrease compared to the average of 9 per year in the other two years. The researchers added that the grace period was used 9 times — with half being by Microsoft — versus the slightly lower average of 12.5 in the other years.When it comes to mobile vulnerabilities, iOS devices had 76 total bugs, followed by 10 for Samsung Android devices and 6 for Pixel Androids. For browsers, Chrome had 40 bugs and an average time to patch of 5.3 days. WebKit had 27 bugs and an 11.6-day average time to patch while Firefox had 8 bugs and a 16.6-day average time to fix.”Chrome is currently the fastest of the three browsers, with time from bug report to releasing a fix in the stable channel in 30 days. Firefox comes in second in this analysis, though with a relatively small number of data points to analyze. Firefox releases a fix on average in 38 days,” the researchers said.”WebKit is the outlier in this analysis, with the longest number of days to release a patch at 73 days. Their time to land the fix publicly is in the middle between Chrome and Firefox, but unfortunately, this leaves a very long amount of time for opportunistic attackers to find the patch and exploit it prior to the fix being made available to users.”Project Zero said the findings were a positive development, showing that many vendors are fixing most of the bugs they find. Vendors are also moving faster to rectify issues, with Google attributing it to responsible disclosure policies that have become the standard in the industry.Google urged all vendors to focus on a “more frequent patch cadence for security issues.””We encourage all vendors to consider publishing aggregate data on their time-to-fix and time-to-patch for externally reported vulnerabilities. Through more transparency, information sharing, and collaboration across the industry, we believe we can learn from each other’s best practices, better understand existing difficulties and hopefully make the internet a safer place for all,” Project Zero said. More

  • in

    Amazon steps in to close exposed FlexBooker bucket after December data breach

    Digital scheduling platform FlexBooker has been accused of exposing the sensitive data of millions of customers, according to security researchers at vpnMentor.The researchers said the Ohio-based tech company was using an AWS S3 bucket to store data but did not implement any security measures, leaving the contents totally exposed and easily accessible to anyone with a web browser. The 19 million exposed files included full names, email addresses, phone numbers and appointment details. FlexBooker did not respond to requests for comment from ZDNet but vpnMentor said they contacted the company and Amazon about the issue.”We did contact them in January, to which they sent what seemed to be an automatic reply about the leak that affected them in December. We tried to explain it was a new breach, but didn’t hear back,” a vpnMentor spokesperson said. “Which is why we decided to contact AWS directly (as Flexbooker wrote on their site they were working together with Amazon), and soon after the bucket was secured (Amazon probably informed Flexbooker, as Amazon isn’t supposed to do it themselves).”In January, FlexBooker apologized for a data breach that involved the sensitive information of 3.7 million users. At the time, the company told ZDNet a portion of its customer database had been breached after its AWS servers were compromised on December 23. FlexBooker said their “system data storage was also accessed and downloaded” as part of the attack. They added they worked with Amazon to restore a backup and they were able to bring operations back in about 12 hours. 

    “We sent a notification to all affected parties and have worked with Amazon Web Services, our hosting provider, to ensure that our accounts are re-secured,” a spokesperson said. “We deeply apologize for the inconvenience caused by this issue.”Researchers at vpnMentor said they were not aware of this data breach as they scanned the internet for potential vulnerabilities in December. By January 23, vpnMentor confirmed the latest issue and contacted FlexBooker on January 25. Amazon was contacted the same day and by January 26, Amazon had resolved the issue. “Flexbooker’s misconfigured AWS account contained over 19 million HTML files which exposed what seemed to be automated emails sent via FlexBooker’s platform to users. This means potentially up to 19 million people were exposed, depending on how many people made multiple bookings on a website using Flexbooker,” the researchers said in the report. “Each email appeared to be a confirmation message for bookings made via the platform, and exposed both the FlexBooker account holder and the person(s) who made a booking. For example, a plumbing supply company was using FlexBooker to schedule consultations between employees and customers. In this instance, PII data for both people were exposed.”One of the appointments exposed by FlexBookers platform. 
    vpnMentor
    The leaks are alarming because they included links with unique codes that could be used to create cancellation links, edit links, and view the appointment details that were hidden in the emails.The S3 bucket was also live when vpnMentor discovered it, meaning it was constantly being updated with new information, exposing more and more people every day. vpnMentor included screenshots of the appointments, which ranged from COVID-19 tests to pet euthanizations and babysitting appointments. The babysitting emails exposed the sensitive information of children as well. “A few days after the breach was secured, we observed hackers on the dark web once again selling private data apparently owned by Flexbooker. It’s not clear if this was from the previous breach, the one our team discovered, or a mix of both. However, it shows the risk for companies who don’t adequately secure their users’ data and how quickly hackers can get stolen data out into the open,” the researchers explained. In January, Australian security expert Troy Hunt, who runs the Have I Been Pwned site that tracks breached information, said the first trove of stolen data included password hashes and partial credit card information for some accounts. Hunt added that the data “was found being actively traded on a popular hacking forum.”A FlexBooker spokesperson confirmed Hunt’s report, telling ZDNet that the last 3 digits of card numbers were included in the breach but not the full card information, expiration date, or CVV.  More

  • in

    Third-party risk management: No one size fits all

    Third-party risk management (TPRM) is high on the list of business priorities and risk management priorities, and that’s a good thing. 

    Despite predictions in the early days of the COVID-19 pandemic that firms would rein in outsourcing strategies, the third-party ecosystem continues to grow, smaller vendors and suppliers remain cybersecurity targets, the global regulatory machine continues to churn out new requirements, and disruption in the value chain has become a regular occurrence. For TPRM vendors, that’s great news because, unlike in the years following the Great Recession, firms aren’t pulling back on security and risk investment. What’s in a name? Is it TRPM or IT VRM? To-may-to, to-mah-to, right? Not exactly. Here’s some context on third-party risk nomenclature. Financial services use “third parties” to align with OCC (Office of the Comptroller of the Currency) language, healthcare references “business associates” to align with HIPAA, and manufacturing commonly uses “supplier.” Everyone else gravitates to the term “vendor” because much of what we now call third-party risk management started out with (and, in some cases, is still mostly focused on) software vendors and IT services providers, where the primary concern is about complying with the IT control frameworks/standards. Also: The definition of modern Zero TrustForrester uses “third party” to refer to these entities, plus nontraditional third parties such as foreign affiliates, external legal counsel, PR firms, contingent or gig workers, and even your board of directors. If it’s not an employee, then it’s a third party. The TPRM market is not “one size fits all” 

    Several types of vendors support the TPRM market, each specializing in one or more risk domains, industries, or levels of customer maturity. For us, the third-party risk is more than a cybersecurity rating or a due diligence tool. Forrester defines this category as: Platforms that identify assess, score, monitor, and report on risks to the organization stemming from their third-party relationships. They support analysis, treatment, and workflow for risk mitigation at every stage of the third-party lifecycle, including: 1) sourcing/procurement, 2) due diligence, 3) selection, 4) onboarding, 5) ongoing risk monitoring, and 6) termination/offboarding. There’s no shortage of options when it comes to managing the risk and compliance of third-party entities. The new Forrester report, Now Tech: Third-Party Risk Management Platforms, Q1 2022, categorizes 22 of the top TPRM technologies into four segments based on their capabilities: Dedicated technologies. These provide robust capabilities throughout the third-party risk management lifecycle. They offer a combination of domain expertise and breadth of functionality to support all levels of TPRM maturity. GRC platforms. Governance, risk, and compliance (GRC) platforms offer robust support for a wide range of risk and compliance use cases in addition to TPRM. Exchange sponsors. Exchange sponsors offer access to prepopulated and validated assessment results, multiple types of documentation and evidence, and analytics. Vertical-focused vendors. These providers have the depth of expertise of dedicated technologies, the range of capabilities of GRC platforms, and often provide supporting services but are singularly focused on industries with complex third-party compliance requirements. Each segment contains vendors that will be a good fit for different types of buyers. This post was written by Senior Analyst Alla Valente, and it originally appeared here.  More

  • in

    Get updating: Apple releases iOS 15.3.1 patch for 'actively exploited' security flaw

    If you didn’t already upgrade to iOS 15.3, now might be a good time to do it because of a security flaw Apple has now patched.Apple released iOS 15.3 earlier this month but it didn’t include one fix for a security flaw it has now addressed in iOS 15.3.1. Details from Apple, as usual, are scant but it gave enough to suggest it is a serious bug because it can lead to malicious code execution simply by users opening a web page in the Apple Safari browser. “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple said.   The update is available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation.Since the bug affects WebKit, the browser engine for Safari, it also affects macOS. Apple also released macOS Monterey 12.2.1 to address the issue on Macs.  The bug, like many security flaws, was a memory flaw that code written in C++ is particularly prone to. 

    According to Microsoft and Google, about 70% of a security issues are caused by memory safety problems and those issues are tied to flaws written in C and C++, arguably the most important family of programming languages that have been used for decades in multi-million line infrastructure systems like Windows, WebKit, Chrome, Android, Firefox, the Linux kernel and now embedded systems for Internet of Things devices. More

  • in

    These cybercriminals plant criminal evidence on human rights defender, lawyer devices

    Cybercriminals are hijacking the devices of civil rights activists and planting “incriminating evidence” in covert cyberattacks, researchers warn.

    ZDNet Recommends

    The best security key

    While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

    Read More

    According to SentinelLabs, an advanced persistent threat (APT) group dubbed ModifiedElephant has been responsible for widespread attacks targeting human rights activists and defenders, academics, journalists, and lawyers across India. The APT is thought to have been in operation since at least 2012, and over the past decade, ModifiedElephant has continually and persistently targeted specific, high-profile people of interest.  However, rather than focusing on data theft, the APT’s activities are far more sinister: once inside a victim’s machine, the group conducts surveillance and may plant incriminating files later used to prosecute individuals. “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ — files that incriminate the target in specific crimes — prior to conveniently coordinated arrests,” the researchers say. SentinelLabs has identified “hundreds of groups and individuals” targeted by the APT. ModifiedElephant starts an infection chain with spear-phishing emails. These emails contain documents laden with malware, including the NetWire and DarkComet remote access trojans (RATs), as well as keyloggers and an Android Trojan. 

    SentinelLabs has connected the dots between previously unattributable attacks and says that while ModifiedElephant has operated under the radar for so long, there is an “observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.” While the malware used by the threat actors is considered “mundane” and not particularly sophisticated, a number of the APT’s victims have also been targeted with NSO Group’s Pegasus surveillanceware, the subject of an explosive investigation by Amnesty International, Forbidden Stories, and various media outlets in 2021. While attribution isn’t concrete, the team says that ModifiedElephant activity “aligns sharply with Indian state interests.”  “Many questions about this threat actor and their operations remain; however, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them,” SentinelLabs cautioned. “A threat actor willing to frame and incarcerate vulnerable opponents is a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about the integrity of devices introduced as evidence.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Spanish police arrest suspects in SIM-swapping ring

    Spanish law enforcement has arrested eight people suspected of running a SIM-swapping ring. 

    SIM-swapping attacks, also known as SIM hijacking, occur when criminals attempt to take over your phone number. As our mobiles are now central hubs used in second-stage account verification, including through two-factor authentication (2FA) text messages or apps, being able to dupe carriers into handing over control means that victims may lose access to their online accounts and services.  SIM-swaps usually lead to the theft of funds from bank accounts and cryptocurrency wallets. Last year, a UK national was indicted by US law enforcement for allegedly performing a SIM-swap to steal $784,000 in cryptocurrency, and as one of our own writers experienced, funds can be stolen to make cryptocurrency purchases that are then sent to attacker-controlled wallets.  So-called ‘porting’ of a phone number occurs when a criminal uses stolen information and social engineering to pretend to be a carrier’s customer and makes the request for a number transfer or for a duplicate SIM to be sent out. Even if a victim quickly realizes something is wrong, a short time window is all that is needed to cause serious damage.In the case investigated by Spain’s National Police, eight suspects allegedly used phishing texts, emails, and instant messages to masquerade as banks. Victims would then hand over their sensitive, personal data and bank details, providing the information required for social engineering attempts.  Now armed with this information, the suspects reportedly contacted carriers and requested duplicate SIM cards for their victims’ phone numbers. 

    SIM-swap attacks would then be performed, in which the telephone numbers linked to the bank accounts would, for a time, be under the criminal’s control. It was then possible for the cybercriminals to intercept the 2FA codes sent by the victim’s bank to access their accounts and conduct fraudulent transactions. The police say that the suspects also “falsified official documents.” In particular, photocopies of Documento nacional de identidad (DNI) identity cards were shown to staff, in which photographs were manipulated to make the fraudster appear to be the legitimate handset owner.  The eight individuals, seven located in Barcelona and one in Seville, are being detained. According to the National Police, law enforcement first caught wind of the scheme in March 2021, when complaints were made relating to fraudulent bank transfers.  “Although the initial steps took place in remote places, the investigations led the investigators to the province of Barcelona, where those now detained laundered the defrauded money operating through bank transfers and digital instant payment platforms,” officers said.  In February, the Federal Bureau of Investigation (FBI) warned that SIM-swapping attack rates are increasing.  According to the law enforcement agency, from January 2018 to December 2020, 320 SIM-swapping attack complaints were recorded, with losses reaching roughly $12 million. In 2021 alone, 1,611 SIM-swapping complaints were made with estimated damages of at least $68 million.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    $1.3 billion lost to romance scams in the past five years: FTC

    Netflix’s new title, The Tinder Swindler, is a wild ride. 

    The show examines how an alleged fraudster impacted the lives of multiple women, matching with them on Tinder and treating them to expensive dates to gain their trust and eventually ask for huge sums of money. While you may watch the show and wonder how someone – no matter their gender – could allow themselves to be swindled out of their savings, romance scams are common, breaking hearts and wiping bank balances around the world every day.   We’ve moved on from the days of ‘lonely hearts’ columns to dating apps — and they are also popular channels to conduct fraud.Fake profiles, stolen photos and videos, and sob stories from fraudsters pretending to business troubles, their car has broken down, they can’t afford to meet a match, or in The Tinder Swindler’s case, their ‘enemies’ are after them – are all weapons designed to secure interest and sympathy.  Schemes can also be far more subtle than direct requests for money. In past cases, users have been lured into explicit webcam sessions with a match and then blackmailed, and in others, dating apps and social media networks are used as conduits to tout cryptocurrency and financial scams.  According to the US Federal Trade Commission (FTC), romance-based fraud and scams have reached a “record” high, with $547 million in losses reported in 2021 in the United States alone. 

    Data collected by the US watchdog over the past five years reveals reported losses were up almost 80% last year in comparison to 2020 and overall, the trend continues to surge upward.
    FTC
    In total, consumers have lost at least $1.3 billion. The average victim will lose $2,400, but this rate can be both lower – and far higher.  Another trend of note is that romance scam artists are cashing in on cryptocurrency.  This is how it works: a fake love interest will talk to their victim for long enough to gain their trust and then will offer them a lucrative and time-sensitive business opportunity: if you invest in this cryptocurrency exchange or financial product, you will have X in returns. The problem is that funds sent to a wallet owned by the fraudster will never be legitimately invested or returned, or a victim may be lured into downloading a fake cryptocurrency trading app, leading to the theft of their funds and sensitive data.  The FTC says that median losses for consumers in cryptocurrency scams are close to $10,000.  “The largest reported losses to romance scams were paid in cryptocurrency: $139 million last year alone,” the FTC says. “That’s a remarkable growth in cryptocurrency payments to romance scammers: 2021 numbers are nearly five times those reported in 2020, and more than 25 times those reported in 2019.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Beware of spies and radicalisation attempts online: ASIO chief

    Image: Miguel Sotomayor/Getty Images
    Foreign spies are increasingly approaching Australians on social media and even dating sites, according to Mike Burgess, director-general of the Australian Security and Intelligence Organisation (ASIO).”Spies are adept at using the internet for their recruitment efforts,” he said in his third annual threat assessment speech on Wednesday night.Burgess said spies make “seemingly innocuous approaches” such as job offers on “any of the popular social media or internet platforms”.”This then progresses to direct messaging on different, encrypted platforms, or in-person meetings, before a recruitment pitch is made,” he said.During the COVID-19 pandemic, these approaches shifted from professional networking sites — he means LinkedIn — to more personal messaging platforms, such as WhatsApp.”ASIO is also tracking suspicious approaches on dating platforms such as Tinder, Bumble, and Hinge,” Burgess said.”My message for any potential victims on these sites is a familiar one: If it seems too good to be true, it probably is.”

    This message was reinforced, albeit clumsily, by Senator James Paterson, chair of the Parliamentary Joint Committee on Intelligence and Security.”If you’re a six and they’re a 10, it might not be your looks that they’ve been charmed by. It might be your access to classified information,” Paterson said.Minors radicalised online are getting younger and more intenseThe pandemic also sent online radicalisation attempts “into overdrive”, Burgess said, with the extra time spent online by isolated individuals serving as the foundation for the uptick.”Social media platforms, chat rooms, and algorithms are designed to join up people who share the same views, and push them material they will ‘like’. It’s like being in an echo chamber where the echo gets louder and louder, generating cycles of exposure and reinforcement,” the ASIO director-general said.”More time in those online environments — without some of the circuit breakers of everyday life, like family and community engagement, school and work — created more extremists. And in some cases, it accelerated extremists’ progression on the radicalisation pathway towards violence.”According to the agency’s statistics, this trend towards spending more time online has seen the number of young Australians being radicalised continue to rise. The number of minors becoming the subject of new counter-terrorism investigations has risen from 2-3% “a few years ago” to around 15%. It’s also led to the age of minors being radicalised dropping lower.   “Children as young as 13 are now embracing extremism … and unlike past experience, many of these young people do not come from families where a parent or sibling already holds extreme views,” Burgess said. With the increase of radicalised minors, minors are also taking on larger roles in extremist groups in both online and face-to-face environments.”Where once minors tended to be on the fringe of extremist groups, we are now seeing teenagers in leadership positions, directing adults, and willing to take violent action themselves,” Burgess said.”We have seen cases involving young, radicalised violent extremists systematically targeting vulnerable associates who were lonely or going through tough times.”According to Burgess, minors now make up more than half of ASIO’s priority counter-terrorism investigations each week and some of them are preying on other minors through “grooming techniques similar to those used by paedophiles”. “The tactics used by the extremists in these cases involved a combination of attention, flattery and friendship, which shifted to bullying and manipulation. We’ve seen young ringleaders deliberately desensitise their targets, gradually exposing them to more extreme and more violent propaganda, until the most graphic material imaginable was normalised,” Burgess said.These comments echo figures from the UK published in November last year, when pandemic lockdowns and extended time spent out of school led to a rise in extremist views and conspiracy theories among pupils.The Guardian reported that of the teachers surveyed by the UCL Institute of Education, “95% had heard pupils express racist views, 90% had encountered homophobia or conspiracy theories, and nearly three-quarters had encountered extremist views on women or Islamophobic views”.The charity Hope Not Hate was reported to be seeing “younger students becoming involved in far-right extremism, including boys as young as 13, often using the Telegram messaging app”.Burgess rejects ‘the Borg defence’ in cybersecurity”Good security is achievable, and good security works,” Burgess said.He finds it “infuriating” when companies say their adversaries are so powerful that there are no ways to defend against them.”That’s what I call the Borg defence — ‘resistance is futile’. In my experience, resistance is rarely futile,” he said. “Certainly, in the cyber field, the overwhelming majority of compromises are foreseeable and avoidable.”Burgess also called out the media for what they “breathlessly called ‘cyber attacks'”.”[They] are not compromises at all — they are reconnaissance missions. If the digital doors are locked, the intruder moves on and tries somewhere else.”Tantalising details of ASIO counter-intelligence operationsBurgess also detailed in his speech two cases which, while outside ZDNet’s normal remit, are worth mentioning for context. In one, ASIO “ painstakingly mapped out a foreign intelligence service’s onshore network of sources and contacts” and then picked it apart.”Australians who were targeted by the foreign intelligence service included current and former high-ranking government officials, academics, members of think tanks, business executives, and members of a diaspora community,” Burgess said.In the other, “a wealthy individual who maintained direct and deep connections with a foreign government and its intelligence agencies” was attempting to set up a political interference operation.This operation identified candidates who were likely to run in that election — the election in question wasn’t revealed — before proceeding to plot ways of advancing the candidates’ political prospects.”The aim was not just to get the candidates into positions of power, but also to generate a sense of appreciation, obligation and indebtedness that could subsequently be exploited,” Burgess said.”The political candidates had no knowledge of the plot. Even if the plan had proceeded, they would not have known who was pulling the strings.”The ABC has subsequently reported that “intelligence sources familiar with the matter” said the operation was “orchestrated by Russia”, with the wealthy individual in question being “linked to Russian spy agencies and President Vladimir Putin’s regime”.However, the Nine news outlets are reporting that “a Chinese intelligence service was behind the plot and that it involved NSW Labor,” citing their own unnamed “multiple security sources”.Related Coverage More