Information Technology

The #ShareTheMicInCyber campaign that took over the Twitter pages of the country’s cybersecurity leaders last week is being formalized thanks to a partnership between the movement’s founders and a think tank. Camille Stewart, co-founder of #ShareTheMicInCyber, said #ShareTheMicInCyber will be working with New America on a diversity initiative funded by Google, Twitter, and Craig Newmark Philanthropies. “We are excited to expand the impact of #ShareTheMicInCyber by creating a fellowship that will allow for sustained and deeper impact,” Stewart said. A fellowship will be created for 2020 that will be centered around researching diversity and inclusion in the cybersecurity industry, nurturing a stable of mentors and organizing professional development activities. “In an environment where there are so many cyber positions unfilled and we are facing cyber threats that are increasing in complexity and scale we must capitalize on the innovation and understanding of people that diversity brings to get ahead of threats and fill staffing gaps,” Stewart, who works as global head of product security strategy at Google, told ZDNet. “Intentional investment in changing the face of the industry, elevate and invest in diverse talent, promote diverse talent, change hiring and retention practices to allow for nontraditional backgrounds and experiences, and create and inclusive empathy-driven cultures where everyone can thrive and differences are celebrated.”Google vice president of security Royal Hansen said in a blog post that the company was funding the first year of the fellowship and pledging to a total of five years of funding.

“As modern cybersecurity threats evolve into new and more dangerous attacks — and as the industry seeks skilled workers — we need an arsenal of different ideas that represent all backgrounds. The #ShareTheMicinCyber Fellowship will amplify diverse talent and bring new voices and ideas to the industry and ultimately make us all safer and more secure,” Hansen said. She said she was inspired to start the campaign in the national security and cybersecurity industry after seeing a Share The Mic Now movement for another industry on Instagram.She tweeted about it and eventually was contacted by Harvard Kennedy School’s Lauren Zabierek, who decided to join the effort and helped Stewart host a similar campaign through her organization NextGen NatSec in celebration of Juneteenth 2020. “At the same time Lauren and I worked to create #ShareTheMicInCyber. The first campaign happened June 26, 2020 and built off the learnings from the campaign I hosted the week prior,” Stewart explained.On the heels of that, Stewart and Zabierek began extending invitations to anyone they had connections to, eventually getting the attention of a member of the NSA Cyber comms team through a tweet. Stewart also contacted CISA Director Jen Easterly, who responded immediately and urged her team at CISA to make it happen. IST contacted them in the hopes of joining the campaign.On Friday, CISA strategist Ayan Islam took over Easterly’s account, Google security engineer Talya Parker tweeted from the account of NSA cybersecurity director Rob Joyce and Institute for Security and Technology CEO Philip Reiner handed his accounts over to Hope Goins, staff director for the US House of Representatives Committee on Homeland Security. The women spoke about their experiences in the tech industry, the barriers they had to face as Black women and ways other women of color can break into the industry.  “The initiative is going well and continues to grow in reach and impact. Not only is the campaign reaching more people each time — sparking a much needed conversation about systemic racism in cyber, broadening networks, and engaging cyber employers — we have partnerships that allow us to address the impacts of systemic racism,” Stewart said. “Our partnership with WISP to create a scholarship for participants is helping to break down financial barriers. Cyberbase, which is launching in partnership with RStreet Institute, is combating the notion that diverse practitioners aren’t already in the industry by giving companies access to a database of Black cyber talent.”Stewart added that the partnership with New America would make what was discussed on Friday a reality, allowing the movement to evolve into actionable opportunities for cybersecurity professionals of color. The fellowship will give someone the opportunity to “conduct policy research and analysis, explore critical cyber security issues, and explore questions of diversity and the human side of cybersecurity.””Our focus on amplifying and investing in middle career talent is designed to be a beacon for newcomers and a pipeline for future leaders,” Stewart said. “The industry investment in this initiative is a recognition that investment in a diverse workforce at all levels will better equip us to meet the ever-evolving and increasingly complex security challenges we face as a society.”Peter Singer, senior fellow at New America and co-coordinator of the #ShareTheMicInCyber partnership, said the need to build greater diversity in cybersecurity brings together national security, industry, community, and equity needs.”It is the literal definition of a win for all,” Singer said. “We couldn’t be more excited and proud to join in taking #ShareTheMicInCyber to the next needed level.” Stewart and Zabierek said the latest partnership is only the beginning of the conversations that need to be had about diversity, racism and equity in the cybersecurity industry. They urged other companies to get involved in the campaign and find a way to support the initiative. “The outcomes that we’ve seen from the four #ShareTheMicInCyber campaigns — to include strengthening and expanding networks, deepening inclusion, and connecting people with more job and professional opportunities in cybersecurity show us that this movement must be rooted and fully resourced so that we can grow its impact,” Zabierek said. 

Workplace diversity More

Back when Apple first announced the iOS 15, it promised that users could choose to stay on iOS 14 if they wanted to and still get updates.Apple is delivering on that promise with an update that you should install as soon as possible. iOS 14.8.1 contains 12 — yes, a dozen — security fixes for a swath of issues, ranging from kernel vulnerabilities to bugs in the Safari WebKit engine. These are the sort of issues that could let the bad guys get a foothold into your device to wreak more havoc. Apple also fixed many bugs on Monday with the release of an update to iOS 15: iOS 15.1 and iPadOS 15.1. Apple also released the iPadOS 14.8.1 for tablet owners who decided to stick with iOS 14.A complete list of fixes for both iOS 14.8.1 and iPadOS 14.8.1 can be found here.To install the update, tap on Settings > General and go to Software Update to download the update. More

The confidential computing market is expected to reach $54 billion by 2026, according to a new market study from the Linux Foundation and the Confidential Computing Consortium. Conducted by Everest Group, the study claims the confidential computing market is expected to grow at a CAGR of 90%-95% in the best-case scenario, and 40% – 45% even in the worst-case scenario until 2026. The researchers used proprietary datasets, consultations with key market stakeholders and contributions from the members of the Confidential Computing Consortium to compile the study.Accenture, ANT Group, Arm, Facebook, Google, Huawei, Intel, Microsoft and Red Hat are all members of the Confidential Computing Consortium.”Confidential computing protects data in use by performing computation in a hardware-based Trusted Execution Environment (TEE),” the researchers explained.Abhishek Mundra, practice director at Everest Research, said that while the adoption of Confidential Computing is in the relatively nascent stage, the organization’s research “reveals growth potential not only for enterprises consuming it, but also for the technology and service providers enabling it.”The study found that industries facing heavy regulation — like banking, finance, insurance, healthcare, life sciences, public sector and defense — are most interested in the technology and will “dominate” the rollout. The market will be driven by hardware, software and service segments, while adoption in other industries will be driven in part by the increase in privacy regulations and cyberattacks, according to the study.

The researchers predict that multi-party computing and blockchain “will constitute a large share of the market.” Stephen Walli, governing board chair of the Confidential Computing Consortium, said that because many enterprises are moving data to the cloud, security needs have been altered “dramatically.””The needs of protecting and managing sensitive data throughout the life cycle, coupled with industry regulations, and the proliferation of cyber risks, positions Confidential Computing to become a de facto technology for computational security,” he said. David Greene, head of the CCC’s outreach committee and chief revenue officer of Fortanix, said the strongest demand for confidential computing seems to come from banking, financial services, and healthcare, all of which have huge quantities of very confidential information and a real need to safely use that data.”Customers want to leverage all of their data, even their most sensitive data, for their own use and to collaborate with other businesses. This is data that can bring advancements in critical research and the development of new solutions for health, productivity and improving people’s lives. Organizations in any industry can benefit from keeping their data secure whether it is at rest, in motion or in use,” Greene said. “We continue to see data breaches resulting from gaps in infrastructure security. It’s very hard to protect infrastructure — there are just too many points of vulnerability. Confidential Computing takes a different approach by focusing on protecting the data, even when it is in use. This just is not possible using any other technology.” More

Adobe has issued a vast security update targeting 14 products, including Lightroom, Photoshop, and InDesign. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On October 26, the tech giant issued over 80 patches for vulnerabilities, including critical code execution flaws, privilege escalation, denial-of-service, and memory leaks.  Normally, Adobe waits to release batch security updates until the second Tuesday of each month in what is known as Patch Tuesday — a practice also followed by companies including Microsoft.  However, when the security of users calls for it, these vendors may release out-of-band or emergency patches — one of the most notable over 2021 being Microsoft’s fixes for zero-day bugs in Exchange Server that were being actively exploited in the wild.   Adobe After Effects, Audition, Bridge, Character Animator, Prelude, Lightroom Classic, Illustrator, Media Encoder, Premiere Pro, Animate, Premiere Elements, InDesign, XMP Toolkit SDK, and Photoshop have all received new updates.  Of note in this security update: Photoshop: CVE-2021-42736, CVSS 7.8, buffer overflow leading to arbitrary code execution XMP Toolkit SDK: CVE-2021-42529, CVE-2021-42530, CVE-2021-42531 (CVSS 7.8), buffer overflows, arbitrary code execution Animate: Nine critical bugs, CVSS 7.8, arbitrary code execution Premiere Elements: CVE-2021-40785, CVSS 8.3, NULL Pointer Dereference, memory leaks Character Animator: Three Access of Memory Location After End of Buffer flaws, CVSS 7.8, arbitrary code execution Media Encoder: CVE-2021-40778, CVSS 8.3, NULL Pointer Dereference, memory leaksThe updates come at the same time as improvements in Adobe software were announced. Among the changes are upgrades to Photoshop and Illustrator to allow web access via URLs, improved masking and filters in Photoshop, the implementation of Frame.io in products, and the planned release of Canvas and Creative Cloud Spaces next year. Previous and related coverage:

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

StackCommerce

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Some of the most elite careers in tech are in cybersecurity, and the good thing is, you don’t need to become an expert on all aspects of it to break into the field. For instance, the NIST Cybersecurity & Risk Management Frameworks course can teach advanced IT professionals all of the ins and outs of the entire Risk Management process.The U.S. government actually designed the Risk Management Framework. It was created in order to establish a secure and efficient process for integrating privacy and security, as well as the management activities of cyber supply chains. Coordinating the framework with the help of a variety of regulations, directives, laws and executive orders makes navigating it amazingly effective.The NIST Cybersecurity & Risk Management Frameworks course consists of 57 lectures across more than 21 hours. You will develop a firm foundation in the RMF steps which will teach you how to prepare your company to manage privacy and security risks.You will find out how to categorize information and the system, as well as how to authorize that system. You will also learn how to select the correct NIST SP 800-53 controls, implement them and assess how they are operating. Then you will monitor risks and the implementation of the controls.The course is presented, authored, and provided on the iCollege platform by ITProTV, which is well-known for the entertaining, effective talk-show format that it employs for its IT training courses. Previous students awarded this one a 4.39 out of 5 stars average rating.Like many other tech skills, these are highly portable and extremely well-suited for remote work. So if you prefer a nomadic lifestyle, you may want to check out these affordable portable monitors.You really don’t want to pass up this chance to master risk management; get the NIST Cybersecurity & Risk Management Frameworks course now.

More ZDNet Academy Deals More

Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications. Usernames and passwords for enterprise cloud services like Microsoft 365 are a prime target for cyber criminals, who can exploit them to launch malware or ransomware attacks, or sell stolen login credentials onto other hackers to use for their own campaigns.  Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials. One recent campaign detailed by cybersecurity researchers at Abnormal Security sent hundreds of phishing emails that attempted to use QR codes designed to bypass email protections and steal login information. This is known as a “quishing” attack. QR codes can be useful in attempts at malicious activity because standard email security protections like URL scanners won’t pick up any indication of a suspicious link or attachment in the message.  The campaign is run from previously compromised email accounts, allowing the attackers to send emails from accounts used by real people at real companies to add an aura of legitimacy to the emails, which could encourage victims to trust them. It’s not certain how the attackers initially gain control of the accounts they’re using to distribute the phishing emails. The phishing emails claim to contain a voicemail message from the owner of the email account they’re being sent from and the potential victim is asked to scan a QR code in order to listen to the recording. All of the QR codes analysed were created the same day that they were sent.  

SEE: Cybersecurity: Let’s get tactical (ZDNet special feature)  A previous version of the campaign attempted to trick users into clicking on a malicious URL by hiding it behind an audio file. However, this was detected and identified as malicious by antivirus software, leading the attackers to switch to using QR codes.  While using QR codes method can more easily bypass email protections, the victim needs to follow many more steps before they reach the point where they could mistakenly give their login credentials to cyber criminals. For a start, the user needs to scan the QR code in the first place — and if they’re opening the email on a mobile, they’ll struggle to do this without a second phone. However, if the victim doesn’t suspect suspicious activity and follows the instructions, they could mistakenly give their username and password to cyber criminals.  “The use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs,” said Rachelle Chouinard, threat intelligence analyst at Abnormal Security. “It’s only by understanding that the account is compromised — combined with an understanding of the intent of the email — that this new (and fairly innovative) attack type can be detected,” she added.  In order to stay safe from quishing emails, users should be extremely wary of scanning QR codes presented in unexpected messages, even if they look like they come from known contacts. Applying multi-factor authentication to Microsoft 365 accounts can also help protect login details from being stolen. 
MORE ON CYBERSECURITY More

Proofpoint has uncovered a new, “highly active” threat group that is impersonating the Philippine government and businesses to spread Trojan malware. 

On Wednesday, researchers Selena Larson and Joe Wise said the threat actors, dubbed “Balikbayan Foxes” and tracked as TA2722, are concentrated in the Philippines but are targeting the shipping, logistics, manufacturing, pharmaceutical, business, and energy sectors across the US, Europe, and Asia.  Balikbayan Foxes has conducted campaigns over 2021 in which the group sent phishing emails claiming to be from Philippine government entities including the country’s department of health, employment agency, and customs.  In addition, the threat actors have impersonated DHL Philippines — DHL being a common victim of impersonation worldwide as a delivery service — and the Manila embassy for the Kingdom of Saudi Arabia (KSA). According to the researchers, phishing, spoofed email addresses, and emailed lures are used to snag their victims. These included messages surrounding COVID-19 infection rates, billing, invoicing, and industry advisories. Some of the targets are involved in large supply chains, and so if compromised, these attacks could have a far-reaching impact.  Every campaign tracked by Proofpoint was designed to deploy the Remcos and NanoCore Remote Access Trojans (RATs) for the purposes of surveillance and data theft.

In some cases, phishing emails were sent containing OneDrive links to malicious .RAR files, whereas in others, crafted .PDFs were attached that contained embedded URLs to malicious executables. The group also utilized another common malware payload deployment method — Office documents containing macros which, when enabled, triggered Trojan execution.  Proofpoint believes the threat actor’s activities may go back as far as August 2020 based on the activities of multiple clusters and command-and-control (C2) servers now tied to Balikbayan Foxes.  Recently, the group appears to be expanding its tactics to also include credential harvesting. In September, the name of the Philippines Bureau of Customs CPRS was used to persuade victims to visit a malicious domain and to submit account details in business email compromise (BEC) scams. Of interest is that a single email address tied to multiple IPs associated with this wave of attacks has also been connected with 2017 campaigns designed to deploy the Adwind/jRAT Trojan, which has been available to criminals as a malware-as-a-service offering since 2016. 
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber attackers aren’t just looking for software flaws, supply chain weakness, and open RDP connections. The other key asset hackers are after is identities, especially account details that will give them access to other internal systems. CISA earlier this year warned that the suspected Kremlin-backed hackers behind the SolarWinds attacks were not just trojanising software updates, but also password guessing and password spraying administrative accounts for initial access.

More recently, Microsoft observed an emerging Iranian hacking group using password spraying against Israeli and US critical infrastructure targets operating in the Persian Gulf.  SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifying Microsoft estimates that more than a third of account compromises are password spraying attacks, even though such attacks have a 1% success rate for accounts, unless organisations use Microsoft’s ‘password protection’ to avoid bad passwords.  “Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password,” Microsoft explained last year. That approach helps avoid rate limiting, where too many failed password attempt results in a lockout.  Microsoft’s Detection and Response Team (DART) has outlined two main password spray techniques, the first of which it calls ‘low and slow’. Here, a determined attacker deploys a sophisticated password spray using “several individual IP address to attack multiple accounts at the same time with a limited number of curated password guesses.”

The other technique, ‘availability and reuse’, exploits previously compromised credentials that are posted and sold on the dark web. “Attackers can utilize this tactic, also called ‘credential stuffing,’ to easily gain entry because it relies on people reusing passwords and usernames across sites,” Microsoft explains. Legacy and unsecured authentication protocols are a problem because they can’t enforce multi-factor authentication. Attackers are also focussing on the REST API, says DART. Top applications targeted include Exchange ActiveSync, IMAP, POP3, SMTP Auth, and Exchange Autodiscover. “Recently, DART has seen an uptick in cloud administrator accounts being targeted in password spray attacks,” Microsoft notes.    Extra care should also be taken when configuring security controls for roles such as security admins, Exchange service admins, Global admins, Conditional Access admins, SharePoint admins, Helpdesk admins, Billing admins, User admins, Authentication admins, and Company admins. High-profile identities such as C-level execs or specific roles with access to sensitive data are also popular targets, says Microsoft. Microsoft this week warned that the SolarWinds hackers, a.k.a. Nobelium, were employing password spray attacks on new targets, primarily against managed service providers that have been delegated admin access by upstream customers. SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacks Microsoft found that Nobelium was “targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems.” The attacks are not the result of a product security vulnerability, Microsoft stressed, “but rather a continuation of Nobelium’s… dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts.” DART offers some handy tips to help shape the course of an investigation, such as determining whether the spray attack was successful on at least one account, determining which users were affected, and whether admin accounts were compromised. More