Information Technology

Cybersecurity firm Salt Labs discovered a GraphQL API authorization vulnerability in a large B2B financial technology platform. It would give attackers the ability to submit unauthorized transactions against customer accounts and harvest sensitive data, all by manipulating API calls to steal sensitive data and initiate unauthorized transactions.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Salt Labs would not say which company was affected as a way to protect users, but it explained that the vulnerabilities have been fixed since they were discovered. The platform offers financial services in the form of API-based mobile applications and SaaS to small- and medium-sized businesses and commercial brands, according to Salt Labs. Michael Isbitski, technical evangelist at Salt Security, told ZDNet that GraphQL API adoption is slower than REST but growing rapidly because of the potential benefits to front-end design and performance. A recent survey from Postman found that while most companies use REST, GraphQL and others like webhooks, WebSockets, GraphQL, and SOAP are gaining traction. “Authorization flaws in APIs are very common, hence why they land on the OWASP API Security Top 10 list,” Isbitski explained. “This type of authorization flaw is also more likely to occur with GraphQL APIs as opposed to REST APIs just because of the nature of how GraphQL can be used to combine API calls and mutate queries.”Salt Labs identified this vulnerability in the company’s SaaS platform and mobile applications it interfaces, resulting from the failure to implement authorization checks correctly. Researchers found that some API calls were able to access an API endpoint that required no authentication, further enabling attackers to enter any transaction identifier and pull back data records of previous financial transactions. The company said GraphQL APIs are “inherently difficult to secure” due to their unique flexibility and structure.

Salt Security CEO Roey Eliyahu said GraphQL provides some advantages in query options compared to REST APIs, but this flexibility comes with risk. A single API call can include multiple separate queries. “A prevalent vulnerability related to GraphQL is that developers must implement authorization on every layer of a multi-layer GraphQL query to prevent attacks. This side effect increases the burden on development and operations teams, and it can extend delivery timelines for applications with many API endpoints,” the researchers wrote in a report about the issue. “It also can create a situation that is more vulnerable to human error. Some endpoints may be forgotten or not properly dealt with, causing its own set of issues down the road.”The researchers explained that the authentication and authorization in mobile app designs are often broken or absent because developers focus on usability. Cyber criminals often know that codebases are managed by different teams and search for vulnerabilities in both front-end clients and back-end services. SSL or TLS typically encrypt web API communications, giving enterprises the sense that they are protected when, in many cases, they may not be. “The prevailing assumption in the industry around GraphQL is that these APIs are uncommon, obscure targets of attack and therefore safer,” Isbitski said. “This assumption is wrong. Security through obscurity has always been a poor strategy, and the complexity of GraphQL APIs makes securing them more challenging.”Netenrich threat hunter John Bambenek told ZDNet that when mobile app developers make applications and API services, they wrongly believe an attacker could not misuse this information, since the phone itself doesn’t provide visibility.”It is tempting to believe that mobile apps create an obscurity layer that is hard for attackers to crack, but decades of experience show that security through obscurity just doesn’t get the job done,” Bambenek said. “Organizations need to make sure every transaction requires authorization and every step of a transaction is checked to make sure the permissions are appropriate for what is being attempted.” More

I recently had a friendly discussion with a marketing guy who contended that the term “small business” didn’t apply to home-based businesses because small businesses have between a hundred and 1,500 employees and revenues from about $1M to about $40M. Technically, if you accept the US Small Business Administration’s very wrong-headed definition of small business, that’s correct. But I defy you to tell a small restaurant owner or an IT consultant with five or ten employees that their business isn’t a small business. Afterall, roughly 54% of employer businesses (business with employees) are smaller than the SBA’s definition of small business.

This is even more the case in these times of Covid. Many employees are working from home, whether or not they’re employed by companies with huge or tiny payrolls. But the distinction is important — and this is what my marketing friend was getting at — because if you look at tiny businesses, they tend to need different networking infrastructure than so-called small businesses the size of small departments or divisions. For our purposes, specifically for this article, we’re looking at VPN solutions that can fit businesses operating from homes as well as small offices. Two of them, NordLayer and Perimeter 81, can scale to larger small businesses. The other two, Surfshark and ExpressVPN, have tools that help small business owners manage multiple subscriptions and licenses. Let’s take a look.

Start with VPN and add all the business management features you need

Cloud VPN: YesRemote Access VPN: YesSite-to-Site VPN: YesSSO Option: YesTeam Permissions: YesCentralized Billing: YesNordSec, the folks behind the hugely popular NordVPN service, have an entire array of offerings for small and medium businesses. Packaged under the NordLayer brand, Nord offers business VPN, along with multi-layer network protection, all coordinated in a centralized dashboard.Also:NordLayer checks all the boxes, allowing work-from-home individuals to connect into the corporate on-site network over an encrypted tunnel, as well as providing site-to-site and dedicated IP options. Additionally, NordLayer provides business-level management functions including integration into single sign-on solutions, team permission management, and centralized billing.

Comprehensive security company with a solid business VPN offering

Cloud VPN: YesRemote Access VPN: YesSite-to-Site VPN: NoSSO Option: YesTeam Permissions: YesCentralized Billing: YesPerimeter 81 calls its cloud VPN offering a “VPN alternative.” Yet, it provides the same functionality — to protect your data in transit to the cloud and then from the cloud to your on-premises and remote networks. Beyond VPN, Perimeter 81 offers a wide range of additional network security services, including a software firewall and network segmentation.Home-based business operators buying into Perimeter 81 may find themselves put off by Perimeter 81’s minimum-seat requirements of 5 or 10 seats, depending on plan. Overall, we think this is a solution better suited to larger small businesses and small departments than home-based businesses. But it may well be ideal for companies that have responded to Covid by sending workers home and need a way to extend a secure network into all their employee’s homes.

Consumer VPN with some behind-the-scenes business services

Cloud VPN: NoRemote Access VPN: YesSite-to-Site VPN: NoSSO Option: NoTeam Permissions: NoCentralized Billing: YesSurfshark is interesting in that it’s hard to tell the company has business options. However, when I asked, I was told, “Although Surfshark is not a business VPN per se, we do offer plans for small businesses that want to enhance their employee privacy and security. For instance, last year when the pandemic hit the world, we did a campaign to support small businesses around the globe with 6-month VPN accounts so they could ensure the adequate level of security for their employees when moving to work from home, without having to go through a tedious business VPN set up process.”Also: How does Surfshark work? How to set up & use the VPNWe’ve looked at the Surfshark interface before, and agree with the company that, “The key value of Surfshark for small businesses is that one does not need to have a dedicated IT person to set up a secure VPN tunnel while at the same time getting use of VPN security features.”Do be aware that there is no indication of consolidated billing or business features on the main Surfshark.com site. To get business-level services, the company advises you reach out to partners@surfshark.com and begin a dialog there. If you do, let me know how it works out for you.

Controversial consumer VPN with business-based billing

Cloud VPN: NoRemote Access VPN: YesSite-to-Site VPN: NoSSO Option: NoTeam Permissions: NoCentralized Billing: YesExpressVPN has had a difficult year due to the controversy surrounding its new owner. Even so, the company’s product has generally been solid, and because it offers some business billing options, it’s worth including in this list.See also:While the company does not offer a business product, it does offer volume discounts for companies who wish to buy for multiple employees. For consolidated billing, we’re told you can contact its support team, who will set up a master account along with child accounts, which allow you to pay for an entire team with one payment. 

Are considerations different when getting a VPN for business?

Yes. Somewhat. Whether you’re using a VPN for work or for personal use, you want your network traffic to be secure. Personal users often want to hide their location or spoof remote servers (sometimes for good reasons, sometimes just to location-shift entertainment). Business users don’t need that capability as much, although executives traveling may not want their locations to be triangulated. Considerations are also different if you’re a worker assigned to use a business VPN, compared to the manager choosing a VPN for use by employees. Again, communications security is the top priority in a business VPN, followed by performance, and often management features like access control and billing.

Can I use a consumer VPN for business use?

That totally depends…on everything. Here’s the thing. If you have a tiny company of just a few employees, a good consumer VPN should do just fine. Your biggest issue will be consolidating payments, followed by assigning and revoking accounts. But if you’re in a big small business, say with a thousand employees, you’re going to need a much larger set of IT-level features. In this article, we’re focusing on very small companies and those working from home, and for those businesses, a business-class VPN or even a good consumer VPN will do just fine.

Will a VPN let me monitor what my employees say across the Internet?

Uh. No. VPNs encapsulate data from one point to another so it can’t be monitored. In theory, you could monitor communications once packets reach your corporate network, but that’s a lot more complex than setting up a basic VPN, and it’s pretty slimy and reprehensible as well. Don’t spy on your employees. Judge them by their actions and whether they meet their commitments. Just sayin’. Don’t.

How we choose Finding the right participants for this list was an interesting exercise. I wanted to stay away from the larger-scale corporate VPN solutions because anything that requires a special certification or multiple full-time IT people was for larger businesses than I was trying to reach in this article. So everything had to be reasonably deployable by an experienced tech user, not a formally-trained and certified IT professional. Second, everything had to have some kind of unified billing. It didn’t make sense to call something a business plan if you had to make 10 individual credit card payments each month for your ten employees’ VPN accounts. While the checkout mechanism for ExpressVPN and Surfshark do not offer unified billing, both companies advised us that you can contact them and they’ll set up account management services for multiple accounts. And, finally, we’ve been testing most of these products for going on years now. While I don’t use any one VPN constantly, I have run most of these through my testing process, and the results are provided along with the recommendation. How you should choose Keep in mind that everyone’s needs are different and VPNs are particularly challenging because your performance is determined by the country you’re in, your ISP, your connection, and even the current weather conditions. I always recommend choosing vendors with a liberal refund policy (at least 30 days), and test, test, test to see if the service performs as you need it to.

Beyond that, keep an eye out for any egregious renewal pricing and conditions. Most of the vendors I spotlight either don’t have renewal fees that slam you after a few years or, if they do, I point them out so you can watch out for them. One more thing I recommend is you start a dialog with the various customer and tech support teams. If you’re running your company on these services, find out how responsive and communicative they are.

ZDNet Recommends

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Cybersecurity workers and other employees are suffering from a high level of burnout that is putting organisations at greater risks from cyberattacks and data breaches. Research by cybersecurity company 1Password suggests that the challenge of remote working two years into the COVID-19 pandemic is leaving staff feeling burned out and less likely to pay attention to security guidelines.

ZDNet Recommends

According to the survey, burned-out employees are more apathetic about workplace cybersecurity measures and are three times more likely to ignore suggested best practices. SEE: A winning strategy for cybersecurity (ZDNet special report) Risky behaviours include downloading software and apps without IT’s express permission, and thus increasing the amount of shadow IT on networks that’s difficult for the IT department to properly manage. There’s also the risk that these employees could download fake or malicious versions of apps, which could potentially deliver malware and other threats from hackers. The paper also warns that burned-out employees are much more likely to use easy-to-guess passwords to secure their corporate accounts. The use of weak passwords makes it much easier for cyber criminals to breach accounts and use that access to snoop around the network, steal information and lay down the foundation for wider malicious activity. “The biggest threat is internal apathy. When people don’t use security protocols properly, they leave our company vulnerable,” said one unnamed cybersecurity professional cited in the report.

In many organisations, it’s cybersecurity staff who are there to counter activity that could make the network vulnerable to cyberattacks – but according to the paper, cybersecurity professionals are more burned out than other workers. The research suggests that 84% of security professionals are feeling burned out, compared with 80% of other workers. And when cybersecurity employees are burned out, they’re more than likely to describe themselves as “completely checked out” and “doing the bare minimum at work” – something that one in 10 cybersecurity professionals described as their state of mind compared with one in 20 of other employees. That attitude could easily result in security threats being missed or flaws not being fixed in time, something that could put the whole company at risk from cyber incidents. “Pandemic-fueled burnout – and resultant workplace apathy and distraction – has emerged as the next significant security risk,” said Jeff Shiner, chief executive officer at 1Password. “It’s particularly surprising to find that burned-out security leaders, charged with protecting businesses, are doing a far worse job of following security guidelines – and putting companies at risk”. The rise of remote and/or hybrid working has changed many workplaces in a permanent way and it’s vital that the correct cybersecurity strategies are put in place to manage risk. Additionally, managers need to talk to employees about the challenges working from home can bring in addition to the benefits – therefore, gaining a better understanding over why burnout happens and what can be done to counter both burnout and the associated security risks. “It’s now a business imperative for companies to engage the humans at the heart of security operations with tools, training and ongoing support to create a culture of security and care that helps us all stay safe at work,” said Shiner.
MORE ON CYBERSECURITY More

The majority of global businesses believe supply chain attacks can become a major threat within the next three years, with 45% experiencing at least one such attack in the last 12 months. This figure is higher, at 48%, in the Asia-Pacific region, where organisations also are reporting more ransomware attacks and paying out higher ransoms than their global counterparts. Worldwide, 84% of enterprises expressed concerns third-party attacks could become a major cyber threat over the next three years, according to a report commissioned by CrowdStrike. However, just 36% had vetted all their software suppliers for security purposes in the past year, including 40% in Asia-Pacific.Conducted by market researcher Vanson Bourne, the study surveyed 2,200 senior IT security executives and decision makers across 12 global markets between September and November this year. These included four in Asia-Pacific, where 300 respondents were from India, 200 each from Japan and Australia, and 100 from Singapore.  

At 87%, more in Asia-Pacific than the global average expressed concerns supply chain attacks were becoming a major cyber threat, the study revealed. Amongst the 48% in the region that reported at least one such attack in the past year, 36% were from Singapore where 57% could not ascertain that they had vetted all their software suppliers for security purposes.Some 69% in Asia-Pacific also encountered at least one ransomware attack in the past 12 months, higher than the global average of 66%. This figure was 64% in Singapore.APAC clock highest ransom payoutAsia-Pacific also clocked the highest average ransomware payment of $2.35 million per attack, compared to $1.55 million in the US and $1.34 million in EMEA. The global average ransomware payout climbed 63% this year to $1.79 million, up from $1.1 million last year, according to the report, which noted that attackers demanded an average $6 million in ransom payment. 

Worldwide, 96% of respondents that paid the initial ransom had to pay additional extortion fees of $792,493 on average. The report noted that 57% of companies that suffered a ransomware attack acknowledged they did not had a defence strategy in place to coordinate a response. This figure was 53% in Asia-Pacific.Singapore respondents that chose to fork out a ransom demand paid the lowest average at $1.46 million in the region, compared to India at $2.92 million, Japan at $2.25 million, and Australia $1.53 million.Some 93% of Singapore organisations that paid a ransom forked out additional extortion fees averaging $619,231 per attack, which again was the lowest in the region where their Indian counterparts paid an average of about $1.15 million in additional extortion fees per attack, while those in Japan paid $950,000, and Australia clocked at $785,345 per attack.Singapore took 119 hours to detect a cybersecurity incident, quicker than the average 205 hours in Asia-Pacific, but required a longer 15 hours to investigate and triage, compared to the regional average of 14 hours. Organisations in Singapore also took an average 30 hours to contain and remediate security incidents, almost double the Asia-Pacific average of 19 hours. Some 60% in the city-state cited remote work as the source of an intrusion, while 75% in Asia-Pacific and 69% worldwide said likewise. Globally, organisations took an average 146 hours to detect a cybersecurity incident, up from 117 hours last year, and needed 11 hours to triage and understand an incident. They required 16 hours on average to contain and remediate a security incident. Amidst the rise in frequency of security incidents, the report noted that 63% were “losing trust” in legacy software vendors including previously trusted providers such as Microsoft. In Asia-Pacific, this figure clocked at 66%. CrowdStrike CTO Michael Sentonas said: “Adversaries continue to exploit organisations around the world and circumvent outdated technologies. Today’s threat environment is costing businesses around the world millions of dollars and causing additional fallout. The evolving remote workplace is surely accentuating challenges for businesses as legacy software like Microsoft struggles to keep up in today’s accelerated digital world.”This presents a clear clarion call that businesses need to change the way they operate and evaluate more stringently the suppliers they work with,” Sentonas said. RELATED COVERAGE More

Researchers with cybersecurity firm Proofpoint have discovered a new phishing attack leveraging concern about the spread of the Omicron strain of COVID-19 to steal credentials and gain access to accounts at several prominent universities in the US. The emails — part of an attack that Proofpoint researchers said began in October but increased in November — generally contain information about COVID-19 testing and the new Omicron variant.Cybercriminals and threat actors have used concern about COVID-19 as a phishing lure since the pandemic began to cause headlines in January and February of 2020.  But with this specific attack, cybercriminals are spoofing the login portals of schools like Vanderbilt University, the University of Central Missouri and more. Some mimic generic Office 365 login portals while others use legitimate-looking university pages.”It is likely this activity will increase in the next two months as colleges and universities provide and require testing for students, faculty, and other workers traveling to and from campus during and after the holiday season, and as the Omicron variant emerges more widely,” the Proofpoint researchers wrote. “We expect more threat actors will adopt COVID-19 themes given the introduction of the Omicron variant. This assessment is based on previously published research that identified COVID-19 themes making a resurgence in email campaigns following the emergence of the Delta variant in August 2021.”In some cases, Proofpoint found that the emails actually redirected potential victims to the actual websites of their university after their credentials are stolen. The emails typically come with subject lines like “Attention Required – Information Regarding COVID-19 Omicron Variant – November 29.” Others are tagged with “COVID test.”A screenshot of one of the spoofed pages.
Proofpoint

Thousands of messages have been sent using Omicron as a lure, and the emails typically have malicious files attached or come with URLs that steal credentials for university accounts. In some cases, Proofpoint found that attacks using attachments “leveraged legitimate but compromised WordPress websites to host credential capture webpages.””In some campaigns, threat actors attempted to steal multifactor authentication (MFA) credentials, spoofing MFA providers such as Duo. Stealing MFA tokens enables the attacker to bypass the second layer of security designed to keep out threat actors who already know a victim’s username and password,” the researchers explained. “While many messages are sent via spoofed senders, Proofpoint has observed threat actors leveraging legitimate, compromised university accounts to send COVID-19 themed threats. It is likely the threat actors are stealing credentials from universities and using compromised mailboxes to send the same threats to other universities. Proofpoint does not attribute this activity to a known actor or threat group, and the ultimate objective of the threat actors is currently unknown.”Hank Schless, a senior manager at Lookout, told ZDNet that at the start of the pandemic in 2020, there was a ton of malicious phishing activity centered around the virus that tempted people with promises of increased government aid, information about shutdowns, and even self-testing apps. From Q4 2019 into Q1 2020, Schless said his company saw an 87% increase in enterprise mobile phishing. By early 2021, Schless noted that attackers changed their tune to deliver the same attacks with the promise of information around vaccines and reopenings. “Between Q4 of 2020 and Q1 of 2021, exposure to phishing increased 127% and remained at the same level through Q2 and Q3. Now, with questions around the Delta and Omicron variants, attackers are again using this as a way to convince potential victims to trust their communication and unknowingly share login credentials or download malware. Academic institutions make for ripe targets in the eyes of cybercriminals,” Schless said. “Large institutions may be conducting cutting-edge research or have massive endowments — both types of data than an attacker would want to steal or encrypt for a ransomware attack. Phishing campaigns know no industry, organization, or device type. They’re designed to be agile attacks that can be tweaked to target any individual.” He explained that while the end goal of the attackers discovered by Proofpoint is still unknown, a set of legitimate login credentials can be the most valuable asset to an attacker trying to infiltrate an organization’s infrastructure. By entering under the guise of a legitimate user, the attacker has a greater chance of accessing sensitive data without tripping any alarms, Schless added, noting that these campaigns are often the starting point for more advanced cyber attacks. More

Amazon Web Services on Tuesday announced the launch of its second Top Secret region, AWS Top Secret-West. The new region is accredited to operate workloads at the Top Secret US security classification level, meeting the needs of customers in the defense, intelligence, and national security sectors. Amazon opened its first Top Secret region, AWS Top Secret-East, back in 2014, making it the first air-gapped commercial cloud accredited to support classified workloads. The two Top Secret regions are more than 1,000 miles apart, giving customers options to store data closer to users for latency-sensitive workloads. Each region consists of multiple Availability Zones to ensure resiliency. The Top Secret region is accredited for security compliance under the Director of National Intelligence (DNI) Intelligence Community Directive (ICD 503) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4.AWS already has an established relationship with the defense industry, but it hasn’t been without controversy. In 2019, the US Defense Department awarded a 10-year, $10 billion Joint Enterprise Defense Infrastructure (JEDI) contract to Microsoft, and AWS almost immediately filed a lawsuit challenging the contract. AWS claimed that then-President Donald Trump’s vendetta against Amazon and then-CEO Jeff Bezos was a key factor in Microsoft’s win. Last month, the DoD asked AWS, Microsoft, Google and Oracle to submit bids for a new, multi-billion-dollar cloud contract. While it’s asking for four bids, the federal government said it anticipates awarding just two contracts — one to AWS and one to Microsoft. More

The FBI and Justice Department unsealed indictments today leveling a number of charges against 31-year-old Canadian Matthew Philbert for his alleged involvement in several ransomware attacks. Officials from the Ontario Provincial Police held a press conference on Tuesday to announce the charges and Philbert’s arrest in Ottawa.  

In a statement, US Attorney Bryan Wilson of the District of Alaska said Philbert “conspired with others known and unknown to the United States to damage computers, and in the course of that conspiracy did damage a computer belonging to the State of Alaska in April 2018.” Wilson and Canadian officials noted that they received help in the case from Dutch authorities and Europol. Canadian officials also announced charges against Philbert, noting that he had been arrested on November 30. The officials did not say which ransomware group Philbert was part of or what attacks he was responsible for. “Cyber criminals are opportunistic and will target any business or individual they identify as vulnerable,” said Ontario Provincial Police deputy commissioner Chuck Cox. Among the charges Philbert is facing are one count of conspiracy to commit fraud and another count of fraud and related activity in connection with computers.During the press conference, Cox said the FBI contacted officials in Ontario about Philbert’s activities, which included ransomware attacks on businesses, government agencies, and private citizens. 

As Philbert was being arrested, police said they were able to seize several laptops, hard drives, blank cards with magnetic stripes, and a Bitcoin seed phrase. In January, police in Florida arrested another Canadian citizen in connection with several attacks by the Netwalker ransomware group. The DOJ claimed Sebastien Vachon-Desjardins managed to make about $27.6 million through several ransomware attacks on Canadian organizations like the Northwest Territories Power Corporation, the College of Nurses of Ontario, and a Canadian tire store in B.C. Emsisoft threat analyst Brett Callow, a ransomware expert based in Canada, told ZDNet that most people assume that ransomware attacks originate from Russia or the Commonwealth of Independent States. While the ransomware may be “made” in those countries, Callow noted that the individuals who use it to carry out attacks can be based anywhere. “In fact, there’s so much money to be made from ransomware, it would be extremely surprising if individuals in countries like Canada, America, and the UK hadn’t entered the market. Those individuals may, however, be sleeping a little less well at night than they used to. In the past, there was a near-zero chance of them being prosecuted for their crimes, but that’s finally starting to change,” Callow said.  More

Earlier this year, Microsoft announced plans for secured-core servers, the server complements to secured-core PCs. Today, December 7, the first servers that have passed the “Secured-core” standards bar are available to customers. Customers interested in the new secured-core servers can find listings for them in the Windows Server and Azure Stack HCI catalogs. HPE’s Gen 10 Plus (v2) products for Azure Stack HCI 21H2 get the secured-core designation. Dell, HPE, Lenovo, AMD and NEC have a variety of server products running Windows Server 2016, 2019 and/or 2022 that get the secure-core checkmark.Secured-core servers use the Trusted Platform Module (TPM) 2.0 and secure boot to make sure only trusted components load in the boot path. Secured-core servers, as the name implies, are designed to help protect against threats that commonly targete servers, such as ransomware and exploits around cryptocurrency mining. Secured-core servers protect server infrastructure with a hardware root of trust; defend sensitive workloads against firmware-level attacks and prevent access and execution of unverified code on systems, Microsoft officials said. More