More stories

  • in

    Third-party risk management: No one size fits all

    Third-party risk management (TPRM) is high on the list of business priorities and risk management priorities, and that’s a good thing. 

    Despite predictions in the early days of the COVID-19 pandemic that firms would rein in outsourcing strategies, the third-party ecosystem continues to grow, smaller vendors and suppliers remain cybersecurity targets, the global regulatory machine continues to churn out new requirements, and disruption in the value chain has become a regular occurrence. For TPRM vendors, that’s great news because, unlike in the years following the Great Recession, firms aren’t pulling back on security and risk investment. What’s in a name? Is it TRPM or IT VRM? To-may-to, to-mah-to, right? Not exactly. Here’s some context on third-party risk nomenclature. Financial services use “third parties” to align with OCC (Office of the Comptroller of the Currency) language, healthcare references “business associates” to align with HIPAA, and manufacturing commonly uses “supplier.” Everyone else gravitates to the term “vendor” because much of what we now call third-party risk management started out with (and, in some cases, is still mostly focused on) software vendors and IT services providers, where the primary concern is about complying with the IT control frameworks/standards. Also: The definition of modern Zero TrustForrester uses “third party” to refer to these entities, plus nontraditional third parties such as foreign affiliates, external legal counsel, PR firms, contingent or gig workers, and even your board of directors. If it’s not an employee, then it’s a third party. The TPRM market is not “one size fits all” 

    Several types of vendors support the TPRM market, each specializing in one or more risk domains, industries, or levels of customer maturity. For us, the third-party risk is more than a cybersecurity rating or a due diligence tool. Forrester defines this category as: Platforms that identify assess, score, monitor, and report on risks to the organization stemming from their third-party relationships. They support analysis, treatment, and workflow for risk mitigation at every stage of the third-party lifecycle, including: 1) sourcing/procurement, 2) due diligence, 3) selection, 4) onboarding, 5) ongoing risk monitoring, and 6) termination/offboarding. There’s no shortage of options when it comes to managing the risk and compliance of third-party entities. The new Forrester report, Now Tech: Third-Party Risk Management Platforms, Q1 2022, categorizes 22 of the top TPRM technologies into four segments based on their capabilities: Dedicated technologies. These provide robust capabilities throughout the third-party risk management lifecycle. They offer a combination of domain expertise and breadth of functionality to support all levels of TPRM maturity. GRC platforms. Governance, risk, and compliance (GRC) platforms offer robust support for a wide range of risk and compliance use cases in addition to TPRM. Exchange sponsors. Exchange sponsors offer access to prepopulated and validated assessment results, multiple types of documentation and evidence, and analytics. Vertical-focused vendors. These providers have the depth of expertise of dedicated technologies, the range of capabilities of GRC platforms, and often provide supporting services but are singularly focused on industries with complex third-party compliance requirements. Each segment contains vendors that will be a good fit for different types of buyers. This post was written by Senior Analyst Alla Valente, and it originally appeared here.  More

  • in

    Get updating: Apple releases iOS 15.3.1 patch for 'actively exploited' security flaw

    If you didn’t already upgrade to iOS 15.3, now might be a good time to do it because of a security flaw Apple has now patched.Apple released iOS 15.3 earlier this month but it didn’t include one fix for a security flaw it has now addressed in iOS 15.3.1. Details from Apple, as usual, are scant but it gave enough to suggest it is a serious bug because it can lead to malicious code execution simply by users opening a web page in the Apple Safari browser. “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple said.   The update is available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation.Since the bug affects WebKit, the browser engine for Safari, it also affects macOS. Apple also released macOS Monterey 12.2.1 to address the issue on Macs.  The bug, like many security flaws, was a memory flaw that code written in C++ is particularly prone to. 

    According to Microsoft and Google, about 70% of a security issues are caused by memory safety problems and those issues are tied to flaws written in C and C++, arguably the most important family of programming languages that have been used for decades in multi-million line infrastructure systems like Windows, WebKit, Chrome, Android, Firefox, the Linux kernel and now embedded systems for Internet of Things devices. More

  • in

    These cybercriminals plant criminal evidence on human rights defender, lawyer devices

    Cybercriminals are hijacking the devices of civil rights activists and planting “incriminating evidence” in covert cyberattacks, researchers warn.

    ZDNet Recommends

    The best security key

    While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

    Read More

    According to SentinelLabs, an advanced persistent threat (APT) group dubbed ModifiedElephant has been responsible for widespread attacks targeting human rights activists and defenders, academics, journalists, and lawyers across India. The APT is thought to have been in operation since at least 2012, and over the past decade, ModifiedElephant has continually and persistently targeted specific, high-profile people of interest.  However, rather than focusing on data theft, the APT’s activities are far more sinister: once inside a victim’s machine, the group conducts surveillance and may plant incriminating files later used to prosecute individuals. “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ — files that incriminate the target in specific crimes — prior to conveniently coordinated arrests,” the researchers say. SentinelLabs has identified “hundreds of groups and individuals” targeted by the APT. ModifiedElephant starts an infection chain with spear-phishing emails. These emails contain documents laden with malware, including the NetWire and DarkComet remote access trojans (RATs), as well as keyloggers and an Android Trojan. 

    SentinelLabs has connected the dots between previously unattributable attacks and says that while ModifiedElephant has operated under the radar for so long, there is an “observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.” While the malware used by the threat actors is considered “mundane” and not particularly sophisticated, a number of the APT’s victims have also been targeted with NSO Group’s Pegasus surveillanceware, the subject of an explosive investigation by Amnesty International, Forbidden Stories, and various media outlets in 2021. While attribution isn’t concrete, the team says that ModifiedElephant activity “aligns sharply with Indian state interests.”  “Many questions about this threat actor and their operations remain; however, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them,” SentinelLabs cautioned. “A threat actor willing to frame and incarcerate vulnerable opponents is a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about the integrity of devices introduced as evidence.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Spanish police arrest suspects in SIM-swapping ring

    Spanish law enforcement has arrested eight people suspected of running a SIM-swapping ring. 

    SIM-swapping attacks, also known as SIM hijacking, occur when criminals attempt to take over your phone number. As our mobiles are now central hubs used in second-stage account verification, including through two-factor authentication (2FA) text messages or apps, being able to dupe carriers into handing over control means that victims may lose access to their online accounts and services.  SIM-swaps usually lead to the theft of funds from bank accounts and cryptocurrency wallets. Last year, a UK national was indicted by US law enforcement for allegedly performing a SIM-swap to steal $784,000 in cryptocurrency, and as one of our own writers experienced, funds can be stolen to make cryptocurrency purchases that are then sent to attacker-controlled wallets.  So-called ‘porting’ of a phone number occurs when a criminal uses stolen information and social engineering to pretend to be a carrier’s customer and makes the request for a number transfer or for a duplicate SIM to be sent out. Even if a victim quickly realizes something is wrong, a short time window is all that is needed to cause serious damage.In the case investigated by Spain’s National Police, eight suspects allegedly used phishing texts, emails, and instant messages to masquerade as banks. Victims would then hand over their sensitive, personal data and bank details, providing the information required for social engineering attempts.  Now armed with this information, the suspects reportedly contacted carriers and requested duplicate SIM cards for their victims’ phone numbers. 

    SIM-swap attacks would then be performed, in which the telephone numbers linked to the bank accounts would, for a time, be under the criminal’s control. It was then possible for the cybercriminals to intercept the 2FA codes sent by the victim’s bank to access their accounts and conduct fraudulent transactions. The police say that the suspects also “falsified official documents.” In particular, photocopies of Documento nacional de identidad (DNI) identity cards were shown to staff, in which photographs were manipulated to make the fraudster appear to be the legitimate handset owner.  The eight individuals, seven located in Barcelona and one in Seville, are being detained. According to the National Police, law enforcement first caught wind of the scheme in March 2021, when complaints were made relating to fraudulent bank transfers.  “Although the initial steps took place in remote places, the investigations led the investigators to the province of Barcelona, where those now detained laundered the defrauded money operating through bank transfers and digital instant payment platforms,” officers said.  In February, the Federal Bureau of Investigation (FBI) warned that SIM-swapping attack rates are increasing.  According to the law enforcement agency, from January 2018 to December 2020, 320 SIM-swapping attack complaints were recorded, with losses reaching roughly $12 million. In 2021 alone, 1,611 SIM-swapping complaints were made with estimated damages of at least $68 million.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    $1.3 billion lost to romance scams in the past five years: FTC

    Netflix’s new title, The Tinder Swindler, is a wild ride. 

    The show examines how an alleged fraudster impacted the lives of multiple women, matching with them on Tinder and treating them to expensive dates to gain their trust and eventually ask for huge sums of money. While you may watch the show and wonder how someone – no matter their gender – could allow themselves to be swindled out of their savings, romance scams are common, breaking hearts and wiping bank balances around the world every day.   We’ve moved on from the days of ‘lonely hearts’ columns to dating apps — and they are also popular channels to conduct fraud.Fake profiles, stolen photos and videos, and sob stories from fraudsters pretending to business troubles, their car has broken down, they can’t afford to meet a match, or in The Tinder Swindler’s case, their ‘enemies’ are after them – are all weapons designed to secure interest and sympathy.  Schemes can also be far more subtle than direct requests for money. In past cases, users have been lured into explicit webcam sessions with a match and then blackmailed, and in others, dating apps and social media networks are used as conduits to tout cryptocurrency and financial scams.  According to the US Federal Trade Commission (FTC), romance-based fraud and scams have reached a “record” high, with $547 million in losses reported in 2021 in the United States alone. 

    Data collected by the US watchdog over the past five years reveals reported losses were up almost 80% last year in comparison to 2020 and overall, the trend continues to surge upward.
    FTC
    In total, consumers have lost at least $1.3 billion. The average victim will lose $2,400, but this rate can be both lower – and far higher.  Another trend of note is that romance scam artists are cashing in on cryptocurrency.  This is how it works: a fake love interest will talk to their victim for long enough to gain their trust and then will offer them a lucrative and time-sensitive business opportunity: if you invest in this cryptocurrency exchange or financial product, you will have X in returns. The problem is that funds sent to a wallet owned by the fraudster will never be legitimately invested or returned, or a victim may be lured into downloading a fake cryptocurrency trading app, leading to the theft of their funds and sensitive data.  The FTC says that median losses for consumers in cryptocurrency scams are close to $10,000.  “The largest reported losses to romance scams were paid in cryptocurrency: $139 million last year alone,” the FTC says. “That’s a remarkable growth in cryptocurrency payments to romance scammers: 2021 numbers are nearly five times those reported in 2020, and more than 25 times those reported in 2019.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Beware of spies and radicalisation attempts online: ASIO chief

    Image: Miguel Sotomayor/Getty Images
    Foreign spies are increasingly approaching Australians on social media and even dating sites, according to Mike Burgess, director-general of the Australian Security and Intelligence Organisation (ASIO).”Spies are adept at using the internet for their recruitment efforts,” he said in his third annual threat assessment speech on Wednesday night.Burgess said spies make “seemingly innocuous approaches” such as job offers on “any of the popular social media or internet platforms”.”This then progresses to direct messaging on different, encrypted platforms, or in-person meetings, before a recruitment pitch is made,” he said.During the COVID-19 pandemic, these approaches shifted from professional networking sites — he means LinkedIn — to more personal messaging platforms, such as WhatsApp.”ASIO is also tracking suspicious approaches on dating platforms such as Tinder, Bumble, and Hinge,” Burgess said.”My message for any potential victims on these sites is a familiar one: If it seems too good to be true, it probably is.”

    This message was reinforced, albeit clumsily, by Senator James Paterson, chair of the Parliamentary Joint Committee on Intelligence and Security.”If you’re a six and they’re a 10, it might not be your looks that they’ve been charmed by. It might be your access to classified information,” Paterson said.Minors radicalised online are getting younger and more intenseThe pandemic also sent online radicalisation attempts “into overdrive”, Burgess said, with the extra time spent online by isolated individuals serving as the foundation for the uptick.”Social media platforms, chat rooms, and algorithms are designed to join up people who share the same views, and push them material they will ‘like’. It’s like being in an echo chamber where the echo gets louder and louder, generating cycles of exposure and reinforcement,” the ASIO director-general said.”More time in those online environments — without some of the circuit breakers of everyday life, like family and community engagement, school and work — created more extremists. And in some cases, it accelerated extremists’ progression on the radicalisation pathway towards violence.”According to the agency’s statistics, this trend towards spending more time online has seen the number of young Australians being radicalised continue to rise. The number of minors becoming the subject of new counter-terrorism investigations has risen from 2-3% “a few years ago” to around 15%. It’s also led to the age of minors being radicalised dropping lower.   “Children as young as 13 are now embracing extremism … and unlike past experience, many of these young people do not come from families where a parent or sibling already holds extreme views,” Burgess said. With the increase of radicalised minors, minors are also taking on larger roles in extremist groups in both online and face-to-face environments.”Where once minors tended to be on the fringe of extremist groups, we are now seeing teenagers in leadership positions, directing adults, and willing to take violent action themselves,” Burgess said.”We have seen cases involving young, radicalised violent extremists systematically targeting vulnerable associates who were lonely or going through tough times.”According to Burgess, minors now make up more than half of ASIO’s priority counter-terrorism investigations each week and some of them are preying on other minors through “grooming techniques similar to those used by paedophiles”. “The tactics used by the extremists in these cases involved a combination of attention, flattery and friendship, which shifted to bullying and manipulation. We’ve seen young ringleaders deliberately desensitise their targets, gradually exposing them to more extreme and more violent propaganda, until the most graphic material imaginable was normalised,” Burgess said.These comments echo figures from the UK published in November last year, when pandemic lockdowns and extended time spent out of school led to a rise in extremist views and conspiracy theories among pupils.The Guardian reported that of the teachers surveyed by the UCL Institute of Education, “95% had heard pupils express racist views, 90% had encountered homophobia or conspiracy theories, and nearly three-quarters had encountered extremist views on women or Islamophobic views”.The charity Hope Not Hate was reported to be seeing “younger students becoming involved in far-right extremism, including boys as young as 13, often using the Telegram messaging app”.Burgess rejects ‘the Borg defence’ in cybersecurity”Good security is achievable, and good security works,” Burgess said.He finds it “infuriating” when companies say their adversaries are so powerful that there are no ways to defend against them.”That’s what I call the Borg defence — ‘resistance is futile’. In my experience, resistance is rarely futile,” he said. “Certainly, in the cyber field, the overwhelming majority of compromises are foreseeable and avoidable.”Burgess also called out the media for what they “breathlessly called ‘cyber attacks'”.”[They] are not compromises at all — they are reconnaissance missions. If the digital doors are locked, the intruder moves on and tries somewhere else.”Tantalising details of ASIO counter-intelligence operationsBurgess also detailed in his speech two cases which, while outside ZDNet’s normal remit, are worth mentioning for context. In one, ASIO “ painstakingly mapped out a foreign intelligence service’s onshore network of sources and contacts” and then picked it apart.”Australians who were targeted by the foreign intelligence service included current and former high-ranking government officials, academics, members of think tanks, business executives, and members of a diaspora community,” Burgess said.In the other, “a wealthy individual who maintained direct and deep connections with a foreign government and its intelligence agencies” was attempting to set up a political interference operation.This operation identified candidates who were likely to run in that election — the election in question wasn’t revealed — before proceeding to plot ways of advancing the candidates’ political prospects.”The aim was not just to get the candidates into positions of power, but also to generate a sense of appreciation, obligation and indebtedness that could subsequently be exploited,” Burgess said.”The political candidates had no knowledge of the plot. Even if the plan had proceeded, they would not have known who was pulling the strings.”The ABC has subsequently reported that “intelligence sources familiar with the matter” said the operation was “orchestrated by Russia”, with the wealthy individual in question being “linked to Russian spy agencies and President Vladimir Putin’s regime”.However, the Nine news outlets are reporting that “a Chinese intelligence service was behind the plot and that it involved NSW Labor,” citing their own unnamed “multiple security sources”.Related Coverage More

  • in

    French privacy regulator finds using Google Analytics can breach GDPR

    Image: Google
    France’s privacy regulator has found instances where using Google Analytics is not compliant with the European Union’s General Data Protection Regulation (GDPR). Through an investigation into unnamed local website’s data practices, the Commission nationale de l’informatique et des libertés (CNIL) found that the website’s use of Google Analytics was in violation of the GDPR. The French regulator said using the tool breached Article 44, which bans personal data transfers from within the bloc to “third-party countries” that do not have equivalent privacy protections in place. Among the countries that fail to meet this threshold is the US as it does not provide non-US citizens with the means to know how their data is acquired or used. US laws also do not provide non-US citizens with the ability for recourse when their data is misused.   The regulator’s investigation into the unnamed local website was done in conjunction with looking into 100 other complaints that were filed to privacy advocacy group Noyb shortly after the European Court of Justice struck down the EU-US Privacy Shield agreement in 2020. The complaints were filed to Noyb, whose founder, Max Schrems, was the one who initiated proceedings to invalidate the Privacy Shield agreement. With this finding, the CNIL has ordered the unnamed local website to comply with the GDPR. In doling out this order, the regulator said, if necessary, the website would have to stop using Google Analytics under the current conditions. The website will have one month to comply with the order.

    “Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services,” CNIL said in a statement. “There is therefore a risk for French website users who use this service and whose data is exported.” The CNIL clarified, however, that there may be some instances where use of Google Analytics does meet GDPR requirements such as ensuring the tool is only used to produce anonymous statistical data. CNIL explained that using Google Analytics in this way would create a consent exemption so long as the data is not transferred illegally. In addition to issuing the order, CNIL said it would launch an evaluation to determine which audience measurement and ad tools are exempt from consent. The French GDPR interpretation follows Google urging lawmakers in the US and Europe to establish new rules for a secure data transfer framework last month. In expressing its concern, Google called for more transparency on how to interpret the GDPR, with its global affairs president Kent Walker claiming the lack of a data transfer framework would lead to a lack of legal stability. Other US tech giants, like Meta, have similarly not taken favourably to the lack of an EU-US data transfer framework. In light of the current lack of one, Meta “threatened” to pull its services out of Europe in its annual filing to the US Securities Exchange Commission. The tech giant subsequently walked back on its comments, however, after the “threat” made headlines on various outlets and received criticism from European politicians. “Meta is not wanting or ‘threatening’ to leave Europe and any reporting that implies we do is simply not true. Much like 70 other EU and US companies, we are identifying a business risk resulting from uncertainty around international data transfers,” said Markus Reinisch, Meta Europe public policy VP. Related Coverage More

  • in

    Moxa customers urged to patch five vulnerabilities found in MXview network management software

    Moxa users are being urged to upgrade MXview to version 3.2.4 or higher to remediate five vulnerabilities discovered by Claroty’s Team82.The issues affect the Taiwanese company’s MXview web-based network management system versions 3.x to 3.2.2 and collectively, ICS-CERT scored the vulnerabilities a 10.0, its highest criticality score.According to Team82, an unauthenticated attacker successfully chaining two or more of these vulnerabilities could achieve remote code execution on any unpatched MXview server. The US Cybersecurity and Infrastructure Security Agency (CISA) released an ICS advisory for the vulnerabilities in October, noting that successful exploitation of these vulnerabilities “may allow an attacker to create or overwrite critical files to execute code, gain access to the program, obtain credentials, disable the software, read and modify otherwise inaccessible data, allow remote connections to internal communication channels, or interact and use MQTT remotely.”The web-based network management system was designed for monitoring and managing Moxa-based devices. Team 82 disclosed five vulnerabilities (CVE-2021-38452, CVE-2021-38456, CVE-2021-38460, CVE-2021-38458 and CVE-2021-38454) in the MXView platform. The company also provided a proof of concept showing how an attack would work. Bugcrowd CTO Casey Ellis said it is “an impactful set of vulnerabilities.” “Command injection via MQTT is an interesting and seldom discussed technique, and only goes to demonstrate the increasing complexity of the input vectors any given application may have,” Ellis said. “Proper sanitization is important everywhere, not just on real-time inputs which are exposed directly to users.”

    Moxa’s MXview is a significant player in the ICS and overall IoT market with their focus on converged networks — few network management vendors focus on this space — and therefore the significance of these vulnerabilities is high, according to Viakoo CEO Bud Broomhead.Broomhead added that with manufacturing and line-of-business organizations using them, not all their end users will have the IT resources or knowledge to quickly remediate these vulnerabilities — making the high severity vulnerabilities that much more dangerous. “These vulnerabilities, without question, will have a major impact. All 5 vulnerabilities have a 10/10 severity score, and because they are focused on converged networks it increases the likelihood of threat actors exploiting them in order to move laterally into corporate networks,” Broomhead told ZDNet.  “In addition, these vulnerabilities enable privilege management exploits; vulnerabilities in privilege management almost always will be viewed as a high level risk, especially given the damage that cyber criminals with root-level privileges can do such as placing malware, controlling critical infrastructure, or covering the tracks of a threat actor.”  More