Information Technology

While hackers are often associated with criminal acts, the difference between white hat and black hat activities is important to remember. These days, with cyberattacks increasing in scope and complexity, we need professional, ethical hackers to help protect the day-to-day services we all use. And we especially need to encourage younger people who already have an interest in this field.If you’re looking for holiday gifts that will appeal to someone interested in cybersecurity or programming, the hunt can be a challenge. We’ve rounded up our picks for the top gift options, including books for study or entertainment, fun stocking stuffers, high-tech kits, and more for your loved one to enjoy. Here are interesting, fun, and useful gift options for the hacker in your life throughout the 2021 holiday season.

Learn about the digital arms race

Amazon

This Is How They Tell Me the World Ends by Nicole Perlroth should be on the bookshelves of those interested in cybersecurity. Perlroth, a cybersecurity reporter, explores the role of the United States in the digital arms race and includes tales of zero-day exploitation, hacker-for-hire mercenaries, and even how the country’s own specialists were duped into working against them.  

Learn how to program

Raspberry Pi

The Raspberry Pi 400 is a mini computer — within a keyboard — that is a great starting point for learning the basics of computing programming. The Pi 400 includes a memory card preloaded with the Raspberry Pi operating system, 4GB RAM, 4K video playback, wireless connectivity, and other features. (Monitor not included.)Learn more: 

Learn about modern surveillance

Amazon

Kevin Mitnick’s The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data is a classic book that anyone interested in cybersecurity would appreciate. Mitnick, once on the FBI’s Most Wanted list, explores modern surveillance and how we can limited its impact on our privacy and security.

Learn about hacking, programming, and DIY electronics

Hacker Boxers

For a slightly different option, check out HackerBoxes, a monthly subscription box full of interesting gadgets and tools for those interested in programming, DIY electronics, and hacking. Past boxes have included Capture the Flag projects, radio-over-internet kit, novelty items, and proximity detection gadgets. 

Learn about intelligence gathering

Hak5

An interesting gift for researchers and pen testers, the Shark Jack is a portable tool for network reconnaissance and wired network auditing. The kit comes with a rapid nmap payload and both attack/arm switches. Payloads can also be developed in bash and by using Linux tools. 

Learn how social engineering is used in hacking

Amazon

Social Engineering: The Science of Human Hacking by Christopher Hadnagy is an older but still valuable guide on how social engineering is used to phish, impersonate others, obtain their data, secure access to restricted buildings and services, and more. If you know someone interested in security and psychology, this could the perfect gift this holiday season. 

Learn the ins and outs of a USB attack platform

Hak5

Bash Bunny is another option from Hak5. The latest version, Mark II, is a payload deployer over USB and can go from “plug to pwn in 7 seconds” claims the company. Bash Bunny has been improved to be quicker and now supports wireless geofencing and microSD.

Learn how to command the airspace

Hak5

Wi-Fi Pineapple, Mark VII, is kit designed for wireless security assessments and auditing. Among its features is a dashboard for active and passive monitoring, a rogue access point facility for conducting Man-in-The-Middle (MiTM) attacks, and report generation.This device is available in basic Mark VII all the way up to enterprise specifications. 

Learn about the security of IEEE 802.15.4/ZigBee systems

Hacker Gadgets

The APIMOTE ZigBee Security Tool is a professional tool designed for academic researchers and students. Likely to make a valued gift for these individuals, the kit is pre-flashed with KillerBee and can be used to investigate IEEE 802.15.4/ZigBee systems.

How did we choose these products?It can be a challenge to find specialist gifts — whether the field you’re interested in is cybersecurity or otherwise — so we examined products that would appeal to the widest customer base available. Or, at least products that will keep the hackers in your life busy and out of mischief. Need more gift ideas?Check out our ZDNet Recommends directory or Holiday Gifts hub for some more inspiration. 

More Black Friday Deals More

The Solarwinds software supply chain attack is the one everyone knows about. But supply chain attacks are becoming commonplace, and that’s bad news. There are efforts afoot, such as the Linux Foundation’s Software Package Data Exchange® (SPDX) project, which ensures transparency and improves compliance for software bill of materials (SBOM). But, we need SBOMs now. As President Joseph Biden’s Executive Order on Improving the Nation’s Cybersecurity says, we must provide “a purchaser with an SBOM for each application.” Codenotary Community Attestation Service wants to help you with that.

Open Source

It is a free, open-source notarization and verification service. Its parent company Codenotary promises it will enable businesses to easily create an SBOM, attesting to the provenance and safety of their code.The Community Attestation Service provides end-to-end protection for software development and workloads. Codenotary also promises that it’s scalable to millions of transactions per second, which makes it ideal for continuous integration/continuous delivery (CI/CD) services. It gives developers a way to attach a tamper-proof SBOM for development artifacts that include source code, builds, repositories, and Docker container images. These SBOMs are built without uploading any data to the service.  Instead, it notarizes these artifacts using cryptographic verification to uniquely identify development artifacts. Each artifact retains a cryptographically strong identity stored in Codenotary’s immutable database, immudb. This is a fast and cryptographically-verifiable ledger database. This, unlike other SBOM systems, makes no guarantee about the safety of the components in your program. What it does do is assure your customers that the programs, code, libraries, container images, and so on truly are the ones you’ve promised them. This is no small thing.”More and more software companies are being asked by their customers to provide a software bill of materials and to give guarantees about its veracity,” said Dennis Zimmer, Codenotary’s co-founder and CTO. “We’re providing an easy way for developers to build an SBOM and let their customers and users know the provenance of their software is cryptographically and very easily verifiable, effectively enabling true Zero Trust application delivery.”

This is more than just a promise. Home Assistant, an open-source home automation company with hundreds of thousands of users, is using Codenotary’s Community Attestation Service to ensure that only its approved code runs at the homes using its Internet-of-Things (IoT) software. “The open-source nature of Community Attestation Service, the easy integration and real-time revocation is a real game-changer,” said Pascal Vizeli, Home Assistant’s founder and core developer. “That is how software trust and integrity should look and feel.”Home Assistant isn’t the only one who’s bought into Codenotary’s approach. Jack Aboutboul, community manager of the CentOS replacement Linux distro AlmaLinux, said, “AlmaLinux is working on integration with the Community Attestation Service to provide a secure Software Bill of Materials for the AlmaLinux OS distribution and to guarantee the provenance of our builds.”Sound interesting? Head over to Community Attestation Service and start creating your own tamper-proof SBOMs.Related Stories: More

StackCommerce

If you’re an entry-level IT professional interested in getting your foot in the door of a cybersecurity career, the extremely affordable Palo Alto Networks Cybersecurity Fundamentals (PCCSA) E-Course can help you with that by training you in firewall maintenance. In 27 lectures across almost seven hours of content, you will be able to build a solid foundation in cybersecurity contexts. First, you will have to learn all of the basics of networking, systems, and security solutions, including the basic concepts of cloud security. And, of course, you will learn the skills that are necessary in order to deploy firewalls. This will allow you to enable traffic that is based on credentials such as the user or app ID, content, and policy.You will learn how to identify the most common cybersecurity threats and cyberattack techniques. Then, as your skills develop, you will progress toward the levels required to become a Palo Alto Networks Certified Network Security Engineer (PCNSE).

[embedded content]

The entry-level PCCSA certification was created to verify that you possess the expertise required for configuring, installing, maintaining, and troubleshooting all of the various Palo Alto Network Operating Platform executions and next-generation firewalls.The course is provided, authored, and presented by ITProTV on the iCollege platform. ITProTV is noted for the entertaining and effective talk-show format it uses for IT training courses. Former students have awarded this one an average rating of 4.4 out of 5 stars.You will have lifetime access to this content 24/7 on both desktop and mobile devices. That means you can train at your own pace without taking time off from your current job, even if you are working full-time.If you’re an entry-level IT professional, don’t miss this chance to get this firewall certification; grab the Palo Alto Networks Cybersecurity Fundamentals (PCCSA) course now.

More ZDNet Academy Deals More

Ransomware is the most significant cybersecurity threat facing organisations today as increasingly professional and sophisticated cyber criminals follow the money in order to maximise the profit from illicit campaigns.  ENISNA, the European Union Agency for Cybersecurity, has released the latest edition of the ENISA Threat Landscape (ETL) report, which analyses cyber criminal activity between April 2020 and July 2021. It warns of a surge in cyber criminality, much of it driven by the monetisation of ransomware attacks. 

Although the paper warns that many different cybersecurity threats are on the rise, ransomware represents the ‘prime threat’ faced by organisations today, with a 150 percent rise in ransomware attacks during the reporting period. And there are fears that despite the problem of ransomware attracting the attention of world leaders, the problem will get worse before it gets better.  “We are observing the golden era of ransomware — it has become a national security priority — and some argue that it has not yet reached the peak of its impact,” the paper warns. Cyber criminals trigger a ransomware attack by secretly compromising networks — often via phishing attacks, compromising cloud services or exploiting vulnerabilities — before installing file-encrypting malware across as many systems as possible. Victims are locked out of files and servers, and the cyber criminals demand a ransom payment — made in cryptocurrency — in exchange for the decryption key. In many cases, the victim will pay up. SEE: A winning strategy for cybersecurity (ZDNet special report)     One of the key drivers behind the increased threat of ransomware is the amount of money that can be made; cyber criminals can walk away with millions of dollars from a single attack. It’s likely that the success of ransomware campaigns will only encourage more bad actors to get involved with ransomware, particularly when it comes to hands-on operations that can cripple an entire network. 

“Our assessment is that more cyber criminals will very likely be attracted to shifting their targeting to focus on targeted ransomware operations and replicate these successes,” said the ENISA paper.  Incidents like the Darkside ransomware attack against Colonial Pipeline demonstrated how disruptive a ransomware attack can be, to the extent it has an impact on everyday lives. The incident led to gas supply shortages in the North Eastern United States, causing people to try and stockpile supplies. In the end, Colonial paid cyber criminals almost $5 million for the decryption key.  While events like this receive a lot of attention, it’s believed that there are many more ransomware attacks where victims quietly pay the ransom without any publicity. “The incidents that are publicly disclosed or that receive media attention are only the tip of the iceberg,” ENISA warns.  However, the report also notes that action is being taken on ransomware, with governments having “stepped up their game”, recognising the threat and conducting multinational efforts in an attempt to deal with the issue. The report also details how the last year has seen several arrests made over involvement in ransomware gangs, indicating that, for some cyber criminals at least, their actions have consequences. “Given the prominence of ransomware, having the right threat intelligence at hand will help the whole cybersecurity community to develop the techniques needed to best prevent and respond to such type of attacks,” said ENISA executive director, Juhan Lepassaar    “Such an approach can only rally around the necessity now emphasised by the European Council conclusions to reinforce the fight against cyber crime and ransomware more specifically.”  Organisations are encouraged to develop a mitigation strategy involving secure backups, so in the event of a ransomware attack, the network can be restored without giving into the ransom demand. Operating systems and software should also be kept updated with the latest security patches so cyber criminals can’t exploit known vulnerabilities to enter or move around the network. Applying multi-factor authentication to accounts can also help prevent intrusions that could eventually lead to a ransomware attack. 
MORE ON CYBERSECURITY More

Cybersecurity firm Zscaler has released their latest State of Encrypted Attacks Report, highlighting the growth in HTTPS threats since January as well as other attacks facing tech companies and retailers. 

The report found that HTTPS threats have increased by more than 314% while attacks on tech companies grew by 2,300% and retail companies saw an 800% increase in attacks. According to the report, the tech industry accounted for 50% of all attacks they tracked. Instances of malware were up 212% in the report and phishing rose by 90%. Also: Microsoft warns over uptick in password spraying attacksThe report tracks more than 20 billion threats blocked over HTTPS and analyzes about 190 billion daily transactions through its Zero Trust Exchange that took place from January to September. From there, the Zscaler ThreatlabZ research team goes through the data to compile the report. Deepen Desai, CISO at Zscaler, said most enterprise IT and security teams struggle to implement SSL/TLS inspection policies due to a lack of compute resources and/or privacy concerns.”As a result, encrypted channels create a significant blind spot in their security postures. Zscaler’s new report on the state of encrypted attacks demonstrates that the most effective way to prevent encrypted attacks is with a scalable, cloud-based proxy architecture to inspect all encrypted traffic, which is essential to a holistic zero trust security strategy,” Desai said. See also: Cloud security: A business guide to essential tools and best practices.

The researchers found that cryptomining is becoming less prevalent as cybercriminals move toward more lucrative options like ransomware. Zscaler noted that attacks on retailers are likely to increase during the holiday season as more companies offer digital purchase options and promote e-commerce solutions. The company predicts a wave of malware and ransomware attacks targeting e-commerce platforms and digital payment systems between Black Friday and Christmas. “Additionally, as the world begins its return to normal, and as businesses and public events are opening up around the globe, many employees are still working in relatively insecure environments. Getting access to critical point-of-sale systems is extremely attractive to cybercriminals as it opens the door to huge profits,” the report noted. 
Healthcare and governmental organizations saw a decrease in attacks but overall, seven industries saw attack rates increase from threats in SSL and TLS traffic.Desai attributed the decrease to increased law enforcement scrutiny following the attacks on Colonial Pipeline and other critical industries. Desai noted that both healthcare and government were the most frequently targeted sectors in 2020, prompting many organizations within both industries to stiffen their security posture. Also: Best gifts for hackersThe UK, US, India, Australia and France led the way as the top five targets of encrypted attacks.When broken down by region, Zscaler ThreatLabz researchers found that Europe saw the most attacks at more than 7.2 billion, followed by the Asia Pacific region at almost 5 billion and North America, which had about 2.8 billion. The UK led Europe with 5.4 billion encrypted attacks targeting them followed by the US and India, which both had more than 2 billion attacks sent their way.  More

The National Rifle Association (NRA) has released a statement today after a ransomware gang claimed to have attacked the organization. The Grief ransomware gang — which has ties to the prolific Russian cybercrime group Evil Corp — posted about the NRA on its leak site, setting off hours of headlines and concerns from members of the group. By Wednesday afternoon, NRA Public Affairs managing director Andrew Arulanandam took to Twitter to say the group is doing what it can to protect the data of its members.”NRA does not discuss matters relating to its physical or electronic security. However, the NRA takes extraordinary measures to protect information regarding its members, donors, and operations – and is vigilant in doing so.” Arulanandam said. Cybersecurity researchers began posting about the incident on Wednesday after Grief said it had 13 files allegedly from the NRA’s databases. Analysis of the released documents show it is minutes from a recent NRA board meeting as well as documents related to grants. It threatened to leak more files if the NRA did not pay an undisclosed ransom. 
Brett Callow
The NRA will be faced with a difficult decision considering Evil Corp was sanctioned by the US Treasury Department in 2019, meaning the gun rights group would have to ask permission before paying any ransom. The rules were pushed following an attack on Garmin, a tech wearables company, that was hit by the WastedLocker ransomware. WastedLocker is another ransomware group with purported links to Evil Corp. Evil Corp was implicated in a wide-ranging ransomware attack last week on Sinclair Broadcast Group, which controls hundreds of news stations in the US. 

Grief has spent much of 2021 attacking school districts and local governments across the US including ones in New York, Alabama, Mississippi, Indiana, Washington and Texas, according to Comparitech. Paul Bischoff, privacy advocate at Comparitech, said NRA members should take steps to protect themselves from any repercussions that might arise as a result of this breach. “A gun won’t help. Even if the NRA pays the ransom, there is no guarantee that Grief will destroy the stolen data,” Bischoff said. “The inclusion of tax forms is particularly concerning because cybercriminals can use them to perpetrate tax fraud. Be sure to file taxes early and make sure no one else files in your name. Grief has led several attacks in the US against targets in government, healthcare, and education.” More

Credit: Microsoft
Microsoft released a new Windows 11 Insider build on October 27 — Windows 11 Build 22489. In the release notes for this Dev Channel build, Microsoft officials disclosed there’s going to be yet another way to update Windows outside of major OS updates called “Online Service Experience Packs.” The mention of this new update pack was in the context of the “Your Microsoft Account” settings page, which Microsoft is now testing as part of some future update to Windows 11. A subset of Dev Channel Insiders is getting the new Your Microsoft Account setting page as part of Build 22489. This new page will display information related to users’ Microsoft Account, such as subscriptions to Microsoft 365, links to order history, payment details and Microsoft Rewards. Via this page, users will be able to access their Microsoft Accounts directly in the Settings in Windows 11. The details about what Online Service Experience Packs are and what, exactly, they’ll be updating are sparse right now. Microsoft officials said in today’s blog post about the new build: “Over time, we plan to improve the Your Microsoft account settings page based on your feedback from Feedback Hub via Online Service Experience Packs. These Online Service Experience Packs work in a similar way as the Windows Feature Experience Packs do, allowing us to make updates to Windows outside of major OS updates. The difference between the two is that the Windows Feature Experience Packs can deliver broad improvements across multiple areas of Windows, whereas the Online Service Experience Packs are focused on delivering improvements for a specific experience such as the new Your Microsoft account settings page.” Under Windows Update, users ultimately will see “Online Service Experience Pack – Windows.Settings.Account” with a version number. Microsoft execs have said fairly little about Windows Feature Experience Packs. These packs, introduced with Windows 10, have included the updated Snipping Tool, text input panel, and shell-suggestion UI.In addition to the new Your Microsoft Account settings page, Microsoft also has added support in today’s test build for “Discovery of Designated Resolvers.” This feature, which builds on DNS over HTTPS, allows Windows to discover encrypted DNS configurations from a DNS resolver known only by its IP address. Microsoft also is updating the name of the “Connect” app to “Wireless Display.” And it is splitting the Apps & Features in settings to two pages under Apps: Installed Apps and Advanced App Settings. The rest of Microsoft’s post about today’s build lists a bunch of fixes and known issues.Earlier this month, Microsoft introduced yet another Windows-updating-related feature to Windows Insiders. That mechanism, called Update Stack Packages, is designed to “deliver update improvements outside of major OS updates, such as new builds.”  Officials declined to say more about what exactly these Update Stack Packages are at this point. More

Google and Salesforce have announced the creation of a vendor-neutral security baseline called the Minimum Viable Security Product (MVSP), which they said was an effort to “raise the bar for security while simplifying the vetting process.”MVSP was also developed and backed by Okta, Slack and more. Google vice president of security Royal Hansen said it was “designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines.” “With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals, and reduce the onboarding and sales cycle by weeks or even months,” Hansen said. “MVSP is a collaborative baseline focused on developing a set of minimum security requirements for business-to-business software and business process outsourcing suppliers. Designed with simplicity in mind, it contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture. MVSP is presented in the form of a minimum baseline checklist that can be used to verify the security posture of a solution.”Companies have long had to create their own security baselines for their vendors that complicates the process, is difficult to assemble for organizations and creates a byzantine maze of baselines for complying vendors. Hansen explained that the MVSP will create an industry-wide baseline backed by practitioners that clearly communicates a set of minimum requirements. The requirements can also help organizations understand the gaps in their own process and identify areas where they need to be tougher on vendors. 

“MVSP provides a single set of security-relevant questions that are publicly available and industry-backed. Aligning on a single set of baselines allows clearer understanding from vendors, resulting in a quicker and more accurate response,” Hansen said. “MVSP ensures expectations regarding minimum security controls are understood up front, reducing discussions of controls at the contract negotiation stage. Referencing an external baseline helps to simplify contract language and increases familiarity with the requirements.”Hansen added that the companies were interested in feedback from the security community and others who may want to contribute. Salesforce said outsourcing operations to third-party vendors is a double-edged sword. It saves but also creates new attack vectors by granting external access to critical systems and customer data, a Salesforce official said. A recent study showed 59% of companies have experienced a data breach caused by one of their vendors. The MSVP checklist includes questions about whether a vendor performs annual comprehensive penetration testing on systems as well as whether a vendor complies with local laws and regulations like GDPR. Questions also cover whether vendors have implemented single sign-on using modern and industry standard protocols or apply security patches on a frequent basis. Does a vendor maintain a list of sensitive data types that the application is expected to process? Do they keep an up-to-date data flow diagram indicating how sensitive data reaches your systems and where it ends up being stored? These are all questions posed by the MSVP checklist. The checklist also includes questions about the physical security of facilities and whether vendors have layered perimeter controls or entry and exit logs. “With MVSP, the industry can increase clarity during each phase so parties on both sides of the equation can achieve their goals and reduce the onboarding and sales cycle by weeks or even months,” Salesforce said. More