Information Technology

Oregon-based venue operator McMenamins said employee data was accessed during a ransomware attack that occurred on December 12. In a statement, the company explained that even though they managed to “block” the attack, employee information dating back to 1998 was compromised. 

The employee files included standard information (name, address, phone number, date of birth, race, disability status, and more) as well as sensitive information (Social Security numbers, bank account information, health insurance plans, income amount, and disciplinary notes). Breach notification letters were sent to anyone who worked for the company between July 1, 2010 and December 12, 2021, while those employed from January 1, 1998 and June 30, 2010 were only provided with a notice on the company website about options for support. The hackers gained access to business records, human resources data, and payroll data files, encrypting the data for employees at the company between 1998 and 2010. McMenamins released the public notice on its website because it has lost access to the contact information for those that worked for the company between those years. The company was able to recover the files from 2010 to 2021 and send breach notification letters to those victims. The Oregonian reported that McMenamins told the Oregon Department of Justice that 14,861 people were sent breach notification letters, while up to 30,000 people may have had their information involved in the breach. “As soon as we realized what was happening, we blocked access to our systems to contain the attack that day. It appears that cybercriminals gained access to company systems beginning on December 7 and through the launch of the ransomware attack on December 12. During this time, they installed malicious software on the company’s computer systems that prevented us from using or accessing the information they contain,” the company said in a notice on their website. 

The company — which runs dozens of hotels, bars, movie theaters, concert venues, restaurants, and more across the Pacific Northwest — said it is offering victims one year of identity theft protection and credit monitoring services. McMenamins is still recovering from the attack and noted on their website that email systems are still down. They contacted the FBI, local law enforcement, and the Attorney Generals of Oregon and Washington to notify them of the attack. The company has already hired a cybersecurity firm to help with the recovery process. The company’s properties are still open, but their credit card processing and hotel reservation system was affected. Guests at their hotels have been asked to call them to manage bookings. No customer or partner data was involved in the attack, according to the company. They said it is unclear when their systems will be fully back up and running. Bleeping Computer reported in December that the Conti ransomware group was behind the attack on McMenamins. Both CISA and the FBI said in September that they have seen more than 400 attacks involving Conti’s ransomware targeting US organizations as well as international enterprises.”We’re devastated our people need to do so, but we’re urging them to vigilantly monitor their accounts and healthcare information for anything unusual. They should immediately notify their financial institutions or health providers if they see anything out of sort,” said company founder Brian McMenamin.  More

Google announced on Tuesday that it is acquiring Israeli cybersecurity startup Siemplify for a reported $500 million. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Google Cloud Security vice president Sunil Potti said Siemplify is a leader in the security orchestration, automation and response (SOAR) field. Their platform will be integrated into Google Cloud’s security team “to help companies better manage their threat response.””In a time when cyberattacks are rapidly growing in both frequency and sophistication, there’s never been a better time to bring these two companies together. We both share the belief that security analysts need to be able to solve more incidents with greater complexity while requiring less effort and less specialized knowledge. With Siemplify, we will change the rules on how organizations hunt, detect and respond to threats,” Potti said. “Providing a proven SOAR capability unified with Chronicle’s innovative approach to security analytics is an important step forward in our vision. Building an intuitive, efficient security operations workflow around planet-scale security telemetry will further realize Google Cloud’s vision of a modern threat management stack that empowers customers to go beyond typical security event and information management (SIEM) and extended detection and response (XDR) tooling, enabling better detection and response at the speed and scale of modern environments.”Potti explained that Siemplify’s platform was built to help streamline the tasks of SOC analysts and assist them in responding to cyber threats. According to Potti, the acquisition is part of Google’s larger investment in SOAR capabilities.Siemplify CEO Amos Stern added that Chronicle’s “security analytics and threat intelligence” will be able to help many security operations centers.”We’re excited to join Google Cloud and build on the success we’ve had in the market helping companies address growing security threats,” Stern said.

In his own blog post, Stern said that since the company’s founding in 2015, they have acquired customers ranging from Fortune 500 companies to MSSPs. Calcalist, the first to report the $500 million price tag, noted that Siemplify currently has about 200 employees based in the US, UK and Israel. In October, Google Cloud partnered with Israeli cybersecurity firm Cybereason on an effort to provide Extended Detection and Response (XDR) tools to organizations looking for protection of their endpoints, networks, clouds and workspaces.  More

Credit: Lenovo
In November 2020, Microsoft took the wraps off its Pluton security chip, with the goal of bringing it to all Windows 10 PCs. It wasn’t until today, January 4, that any of Microsoft’s OEMs announced their first Pluton-powered PCs. At CES, Lenovo unveiled its Ryzen-6000-based ThinkPad Z series laptops running Windows 11, which will integrate the Microsoft Pluton processor. The coming ThinkPad Z series laptops will begin shipping in May 2022. Thanks to Pluton, these devices will be able to receive updated firmware using Windows Update. In the ThinkPad Z13 and Z16, Pluton will help protect Windows Hello credentials, according to Microsoft, by further isolating them from attackers. These new ThinkPads will use Pluton as their TPMs to protect encryption keys from physical attacks, Microsoft officials said. Microsoft pioneered Pluton first in Azure Sphere, its Linux-based microcontroller, and in Xbox. In a January 4 blog post, Microsoft officials noted that Pluton can be configured in three ways: As the Trusted Platform Module (TPM); as a security processor for non-TPM scenarios like platform resiliency; or inside a device where OEMs have opted to ship with the chip turned off. Windows will be able to use Pluton to securely integrate with other hardware security components in a way that gives Windows users and IT admins resiliency signals that can be used for zero-trust conditional access, officials added. At some point in the future, these signals will be reported to services like Intune through the Azure Attestation service, officials said. Microsoft’s blog post said that “in the future” there will be additional support from OEM partners for Pluton. More

Microsoft has warned Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j ‘Log4Shell’ flaw through December.  Disclosed by the Apache Software Foundation on December 9, Log4Shell will likely take years to remediate because of how widely the error-logging software component is used in applications and services.  Microsoft warns that customers might not be aware of how widespread the Log4j issue is in their environment. Over the past month, Microsoft has released numerous updates, including to its Defender security software, to help customers identify the issue as attackers stepped up scanning activity.  LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW  “Exploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC) said in a January 3 update.  Microsoft said customers should “assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.” Hence, it’s encouraging customers to utilize scripts and scanning tools to assess their risk and impact.  “Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,” Microsoft added. 

The flaw likely left some security teams without much of a break over Christmas and prompted warnings from the UK’s NCSC to beware of burnout among staff responsible for remediation.  Just ahead of New Year’s Day, Microsoft rolled out a new Log4j dashboard for threat and vulnerability management in the Microsoft 365 Defender portal for Windows 10 and 11, Windows Server, and Linux systems. This system aims to help customers find and fix files, software and devices affected by Log4j vulnerabilities. CISA and CrowdStrike also released Log4j scanners ahead of Christmas.  LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE  CISA officials believe hundreds of millions of devices are affected by Log4j. Meanwhile, major tech vendors such as Cisco and VMware continue to release patches for affected products.  The Log4Shell vulnerabilities now include the original CVE-2021-44228 and four related flaws, the latest of which was CVE-2021-44832. However it was only a moderate severity issue addressed in the Log4j version 2.17.1 update on December 28. The Apache Software Foundation has details about each of the Log4j vulnerabilities in its advisory covering CVE-2021-44228, CVE-2021-45105, and CVE-2021-45046.  More

A retired military officer has disclosed a cyberattack that struck the UK Ministry of Defence (MoD) academy and had a “significant” impact on the organization. 

Air Marshal Edward Stringer, an officer in charge at the time, told Sky News that the cyberattack was discovered in March 2021. According to the retired officer, “unusual activity” was detected by IT outsourcer Serco but originally it was thought that this may have been due to some form of IT error rather than something malicious. The Defence Academy of the United Kingdom was the target. The organization is responsible for teaching and training thousands of military personnel, MoD employees, wider government figures, and overseas students. Courses on offer relate to topics including security, strategy, languages, and information warfare.  While full attribution is not available as to whom was responsible, the publication reports that China or Russia was “possibly” involved.  Iran and North Korea were also floated as potential sources of the cyberattack.  “It could be any of those or it could just be someone trying to find a vulnerability for a ransomware attack that was just, you know, a genuine criminal organization,” Stringer said. 

As academy staff worked to keep courses running, management was concerned that the reason behind the attack may not have been to disrupt the educational system – but rather, the academy could have been used as a “backdoor” to target the wider MoD. This prospect had severe ramifications and could have had potential consequences for national security.  Stringer added that despite these concerns, there appears to be no evidence of breaches beyond the Defense Academy.  An investigation has been launched and the National Cyber Security Centre (NCSC) is aware of the cyberattack.  During the interview, Stringer said the cyberattack was “significant, but then manageable” – and further prompted the academic institution to ramp up its security posture and network resiliency after accounting for the “operational cost” of dealing with the incident.  As of now, the IT infrastructure is still being rebuilt and the Defence Academy is set to launch a new website in the future. An MoD spokesperson told Sky News: “In March 2021 we were made aware of an incident impacting the Defence Academy IT infrastructure. We took swift action and there was no impact on the wider Ministry of Defence IT network. Teaching at the Defence Academy has continued.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, has received the backing of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in its review of the laws. The TOLA Act, passed three years ago, was criticised heavily when it first became law as it gave intelligence and law enforcement agencies powers to request or demand assistance from communications providers to access encrypted communications.Since its passing, the most public display of these powers has been Operation Ironside, which AFP commissioner Reece Kershaw last year labelled as the Australian Federal Police’s (AFP) “most significant operation in policing history”.In the PJCIS’ review [PDF] of the legislation, it supported the powers enacted in the laws but recommended additional safeguards and oversight mechanisms aimed at providing the public with confidence the legislation would be used proportionally and for its intended purpose.”Agencies have made the case that these powers remain necessary to combat serious national security threats, and some of the worst fears held by industry at the time of passage have not been realised,” committee chair and Liberal Senator James Paterson said. Among those recommended safeguards are that any law enforcement requests cannot result in any persons being detained, as well as more authorisation checks prior to the issuance of notices and warrants through the TOLA Act. These recommended checks include a requirement for the Director-General of Security, who is currently the Australian Security Intelligence Organisation’s (ASIO) head Mike Burgess, to be satisfied with the reasonableness and proportionality of a voluntary assistance request prior to its issuance, external authorisation from the Attorney-General or issuing authority for any concealment activities in relation to executing computer access warrants, and ASIO retaining and requiring written reasons whenever a voluntary assistance request is made.

Read more: How the FBI and AFP accessed encrypted messages in TrojanShield investigation The committee has also called for the federal government, in consultation with relevant stakeholders, to develop a prescribed set of requirements for information that must be included in technical assistance requests. “These are intrusive powers that must be robustly overseen to ensure they are used appropriately, and there are improvements that can be made to the oversight framework which the committee has recommended,” Paterson said. The PJCIS also wants more reviews of the laws, such as a periodic survey in three year’s time to ascertain ongoing economic impacts of the TOLA Act legislation on Australia’s IT industry and a review of the concepts of “serious offence”, “relevant offence”, and others contained in the Act. The committee explained in the review that it hopes the ongoing reviews would address the concerns raised by industry bodies in about the impact of the various notices and requests contained in the TOLA Act. It also recommended that the ASIO brief the PJCIS on the acts or things implemented as part of any compulsory assistance order to facilitate and assist the ongoing review and oversight of the legislation. Another recommendation put forth by the PJCIS is for the Inspector-General of Intelligence to receive expanded functions so it can oversee the intelligence functions of the Australian Federal Police. Speaking to the concerns that the TOLA Act is potentially incompatible with the US CLOUD Act, the committee also said it was satisfied with the co-existence of the two laws as the US Department of Justice said it had no issues with the TOLA Act being in operation.The confirmation came shortly after Australia and the United States entered into a landmark CLOUD Act agreement in December, which gave Australia’s law enforcement agencies the ability to issue orders compelling US service providers to provide communications data for the purposes of combatting serious crime directly on US-based companies, and vice versa. Related Coverage More

An Australian Senate Committee at the end of last year recommended that a government entity be specifically delegated with the responsibility of keeping social media platforms and other government entities accountable in preventing cyber-enabled foreign interference. In an interim report [PDF], the Select Committee on Foreign Interference through Social Media said it made this recommendation as there is currently not a single body dedicated to performing this accountability function. The committee said the need for such an entity would continue to grow in importance as the use of cyber-enabled techniques to interfere in foreign elections and referendums has increased significantly in recent years.In making this finding, the committee considered submissions that said current trends indicated espionage and foreign interference would supplant terrorism as Australia’s principal security concern over the next five years. Another factor in making this recommendation was that there is currently no specific body responsible for combatting COVID-19 misinformation and disinformation. Alarmingly, the committee also wrote in its interim report that the Department of Home Affairs — the supposed policy lead for addressing foreign interference on social media — testified it was not aware which platforms were supposed to report foreign interference attempts. Social media companies also told the committee similar things, saying they have experienced confusion when trying to decipher how and who to report to when it comes to foreign interference residing on their platforms. “Given the impending Federal Election, it is imperative that the government establish clear policies and procedures for social media platforms to refer potential foreign interference for consideration by the relevant government departments or entities,” the report said.

As such, in addition to appointing a government entity to be accountable for cyber-enabled foreign interference, the committee has also recommended that the federal government establish clear requirements and pathways for social media platforms to report suspected foreign interference, including disinformation and coordinated inauthentic behaviour, and other offensive and harmful content. It also recommended for agency remits, powers, and resourcing arrangements regarding these reporting requirements to be formalised. The committee also called for more transparency regarding the extent of government’s awareness about online disinformation and misinformation. To address the lack of transparency, the committee has made the recommendation for the Australian Communications and Media Authority (ACMA) and the Election Integrity Assurance Taskforce (EIAT) to publicly release their findings and responsibilities in relation to foreign interference through social media platforms. Currently, ACMA files a report to government about the Australian Code of Practice on Disinformation and Misinformation, which covers the adequacy of digital platforms’ measures and the broader impacts of misinformation in Australia, but that information is not available for public viewing. Meanwhile, there is “no certainty” around the responsibilities and powers of EIAT members, which the committee warned could create vulnerabilities in Australia’s institutional arrangements that malign foreign actors could exploit. “Although the members can articulate their qualifications to be on the [EIAT] (for example, the Department of Communications is an expert on the social media platforms), there is no certainty about what their responsibilities and powers are, let alone the powers of others. The taskforce is governed by terms of reference have been kept secret to this committee and the public at large,” the committee wrote in the interim report The interim report comes off the heels of Australia announcing various initiatives in recent months to address issues residing in social media platforms and cyber. In December alone, Australia announced the Online Safety Youth Advisory Council, passed “Magnitsky-style” and Critical Infrastructure cyber attack laws, and proposed anti-trolling laws.  Meanwhile, in October, the federal government released an exposure draft for what it has labelled an Online Privacy Bill to make it mandatory for social media organisations to verify users’ age. Another senate committee recently received an update regarding the Online Privacy Bill during Budget Estimates, with Australia’s information commissioner saying it would receive AU$25 million of funding across three years to facilitate timely responses to privacy complaints as part of work on the aforementioned Bill. Related Coverage More

New South Wales’ electoral commissioner has revealed the iVote system failure during the state’s local elections last month may have materially impacted the councillor elections in Kempsey, Singleton, and the City of Shellharbour.  During those elections last month, an unknown number of voters were unable to cast a vote due to the state’s iVote online voting system suffering a failure for a portion of the voting period. In the immediate aftermath, the NSW Electoral Commission (NSWEC) attributed the iVote online voting system failure to a higher-than-expected elector load, with around 650,000 people using the system during the local elections last month.”Almost triple the number of voters have used iVote at these elections than any previous election,” NSWEC said.Since then, an NSWEC investigation into the system failure has concluded that there is a possibility that, if all individuals who registered to use iVote on election day had been able to vote, a different outcome might have occurred.On a technical level, people were unable to cast their vote due to iVote not issuing them with the necessary security credential before the close of voting on election day, which is a prerequisite for accessing the voting component of the system, the NSWEC explained.To address the risk of ongoing ambiguity about the materiality of the iVote issue for these elections, as well as to support the integrity of the electoral system more generally, the electoral commissioner will submit an application to the Supreme Court in the coming weeks for a declaration about the validity of the election results in these three elections.

The election declaration, if approved, will mean the currently elected councillors for the impacted councils will serve in the interim. The declaration will not be a determination that these three elections are valid more generally, however, the electoral commissioner noted.The electoral commissioner said he wanted to apply for the declaration as these elections have already been deferred twice due to the COVID-19 pandemic and it may be practically impossible to hold fresh elections until the middle of 2022.Dr Vanessa Teague, a cryptographer with a particular interest in privacy and election security, has repeatedly warned of the flaws within the iVote system.”Every serious investigation of iVote found serious problems,” Teague tweeted last month in light of the most recent iVote failure. Starting in 2015, she and her colleagues found numerous flaws in iVote, problems that NSWEC has often downplayed. RELATED COVERAGE More