Information Technology

Becoming a Chief information security officer (CISO) is no easy task, especially with the threat of evolving and disruptive cyberattacks a constant threat. 

A CISO is expected to take on the leadership of a team responsible for managing cybersecurity concerns in an organization, and the role requires the creation and implementation of strategies to deal with compliance, regulatory and legal considerations, process and patch management, and more. The CISO of an enterprise firm is also expected to have a thorough knowledge of the evolving threat landscape, and as such, may be expected to play a key role in incident response. They may also work with a Chief Information Officer (CIO) to manage data compliance.  However, according to Steve Cobb, CISO of One Source Communications, a modern CISO needs to also have a head for numbers, too — with budgets becoming a key consideration.  See also: What is a CISO? Everything you need to know about the Chief Information Security Officer role Speaking to attendees of Mandiant’s Cyber Defense Summit 2021, Cobb said that in order to be successful, there are a number of topics these leaders need to consider and approach — whether or not they have been brought in externally or have organically grown into the role.   According to the One Source Communications CISO, these are some of the steps someone stepping into the role of a CISO or security officer should take.

-Review all existing policies: Cobb says the first step a new security officer should take is to review existing IT and security policies. Special attention should be paid to the company’s Incident Response Plan — if it exists — as well as business continuity and recovery plans.  If they don’t exist, the CISO says that this could mean those new to the role have “an opportunity to have a significant impact on the organization.” -Review the last three security assessments: These should include any records of penetration tests, red team engagements, and vulnerability scans.  Cobb also recommends that new security officers inquire about security awareness training, phishing simulations, and work out whether such training is actionable and valuable to staff.  -Review cyber insurance policies: As a new CISO, you should evaluate existing policies including cyber insurance, representation from legal teams, connections with incident response (IR) — and also who is handling the firm’s PR.  Insurance providers may list recommended or approved IR and legal responders, and so CISOs need to make sure an organization’s teams are either on the permissible list, or added to them. What is included in cyber insurance policies should also be explored. For example, does it cover ransomware infections or data theft and extortion, and if so, what is the limit of potential claims? You should also find out if you are covered when it comes to liability should you become part of a lawsuit due to a cybersecurity incident — and whether or not the same applies to your team.   -Fighting for it: Questions should be asked at leadership meetings which will give new security officers a fighting chance to perform well in their roles. This includes what cybersecurity budget is available — and this is separate or part of general IT budgets — and has there been an increase year-over-year? “If you are being brought in, I would argue that you should have a budget to make sure you can do what it is you’re being asked to do,” Cobb commented. In addition, CISOs should find out what the most valuable corporate resources are that require protection, how long the company can cope with disruptive events, and whether or not data is being held that, if stolen, could cause “substantial reputational damage and/or significant loss of revenue,” the executive says.  -Investigate: According to Cobb, the next step is to find out what tools are in place — what firewalls, is there any endpoint protection, is two- or multi-factor authentication in place, and is the organization protecting email flows?  Key areas that should also be considered are whether or not anyone is monitoring out-of-hours, and whether or not the organization is able to rapidly detect basic attacks.  Cobb also suggests asking for a new security assessment in light of your investigation.  -Build relationships: Meet with the director or leader of IT teams and the CIO, and find out if security is a consideration (at all) — and what protections are in place for the business. New CIOs should also find out what strategies are in place for on-premise and cloud setups.  Cobb also suggests that today’s security officers should try to be “visionary” and implement cultural change.  “Let’s start changing the culture,” Cobb says. “They [changes] don’t happen at the beginning of your stint as a CISO, they may happen years later. […] That’s why your strategy needs to be in place so you can be successful. Consider your limitations, but don’t put the entire weight of the world for security on yourself. Put a team around you [..] and set the expectations of the business early on with your leadership.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore and Finland have inked an agreement to mutually recognise each country’s cybersecurity labels for Internet of Things (IoT) devices, aimed at helping consumers assess the level of security in such products. Touting it as the first of such bilateral recognition, Singapore says the partnership aims to reduce the need for duplicated testing. The global pandemic had accelerated the pace of digitalisation as well as surfaced many uncertainties and challenges, driving governments and businesses to drive their digital transformation, said Singapore’s Senior Minister of State for the Ministry of Communications and Information, Janil Puthucheary.Dependence on IoT had increased as nations looked to transform into smart cities, fuelled by the need for connectivity and to tap data, said Puthucheary, who was speaking Wednesday at the Singapore International Cyber Week conference. He noted that the number of connected devices worldwide was projected to double to 50 billion devices in 2030, compared to 2018. 

This growing adoption brought with it security risks that must be addressed, he said. “Majority of consumer IoT devices are built and developed to optimise functionality and cost, usually at the expense of the security of the device. However, IoT security should not and cannot be an afterthought, but should be a key consideration and a design fundamental,” he noted. “Without the requisite security in place, it leaves end users exposed to malicious cyber threat actors seeking to compromise the devices and this results in the loss of data. More importantly, privacy and trust.”Pointing to leaked footage of home cameras in Singapore last year, he stressed the need to drive consumer awareness and responsibility, enhance the skills of security professionals, and build partnerships with the international community and industry. Singapore last year introduced its multi-tiered Cybersecurity Labelling Scheme (CLS) to enable consumers to make more informed decisions when buying IoT devices, said Puthucheary. The initiative also gave manufacturers a way to differentiate their products, he added. 

Since its launch in October 2020, CLS had shored up more than 100 applications, with some labelled products available online and on the shelves of physical stores. These included products from manufacturers Signify, BroadLink, Aztech.The new agreement with Finland now extended the programme internationally, where both countries would mutually recognise cybersecurity labels issued by the Cyber Security Agency of Singapore (CSA) and Transport and Communications Agency of Finland (Traficom).According to CSA, the agreement was the first of such bilateral recognition and Singapore hoped to rope in more partners. The pact with Finland aimed to reduce the need for duplicated testing and ease market access for manufacturers, said CSA. Under the agreement, consumer IoT products that met the requirements of Finland’s cybersecurity label would be recognised as having met CLS Level 3 requirements in Singapore, and vice versa. The Singapore Standards Council, which is parked under Enterprise Singapore, on Wednesday also launched the country’s first national standard, Technical Reference (TR) 91 on Cybersecurity Labelling for Consumer IoT. The move would provide a standard that could be adopted by manufacturers, developers, testing bodies, and suppliers of consumer IoT devices across the globe. CSA added that TR 91 offered a framework for countries to align and mutually recognise their respective cybersecurity labels. The Singapore government agency said it also was increasing the number of approved test labs for Levels 3 and 4 applications to meet growing demand for CSL assessment. In addition, the national labelling scheme would be further extended to include more products and services beyond consumer IoT devices, CSA said, adding that more details on this would be provided in future. In January 2021, several devices were added to the CSL including smart lights, smart door locks, smart printers, and IP cameras. The scheme initially applied only to Wi-Fi routers and smart home hubs.Puthucheary noted that security measures also were needed for the networks of IoT devices, particularly since the potential impact of Distributed Denial of Service (DDoS) botnets could go beyond individual users. He pointed to the Mirai malware in 2016 that exploited insecure IoT devices to build a botnet that launched a DDoS attack, bringing down internet access in the US.”The work of building a safe, resilient, and secure IoT ecosystem is, thus, very important and spans across various stakeholders,” he said. In this aspect, he noted that CSA had partnered with the Global Cyber Alliance to leverage the latter’s Automated IoT Defence Ecosystem (AIDE), which was a global network of partners that shared IoT threat information. RELATED COVERAGE More

An unknown hacker has leaked the entirety of Twitch’s source code among a 128 GB trove of data released this week. The hack, first reported by Video Games Chronicle and confirmed by multiple sources, includes:The entirety of twitch.tv, with commit history going back to its early beginnings

ZDNet Recommends

Mobile, desktop and console Twitch clientsCreator payout reports from 2019Proprietary SDKs and internal AWS services used by TwitchEvery other property that Twitch owns including IGDB and CurseForgeAn unreleased Steam competitor, codenamed Vapor, from Amazon Game StudiosTwitch SOC internal red teaming tools The hacker, who called themselves “Anonymous” on a 4chan discussion board, said Twitch’s community is “a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories.””Jeff Besos paid $970 million for this, we’re giving it away FOR FREE. #DoBetterTwitch,” the hacker added. 
Digital Shadows
Twitch and Amazon, which owns the company, did not respond to requests for comment. They released a brief statement on Twitter confirming that a breach occurred and pledging to release updates at some point. Twitch is one of the biggest gaming platforms in the world, with an average of 15 million daily users and more than 2 million Twitch creators broadcasting monthly.

More than 18 billion hours of Twitch videos were streamed in 2020. #DoBetterTwitch has trended for weeks as the platform has faced backlash for allowing “hate raids” — where the comment sections of minority gamers are overwhelmed by slurs and abuse. Twitch was forced to address the issue in a Twitter thread in August and pledged to do more about racial abuse. “This is not the community we want on Twitch, and we want you to know we are working hard to make Twitch a safer place for creators. Hate spam attacks are the result of highly motivated bad actors, and do not have a simple fix,” Twitch said. “Your reports have helped us take action-we’ve been continually updating our sitewide banned word filters to help prevent variations on hateful slurs, and removing bots when identified.”The words did little to quell outrage and gamers held a protest last month, boycotting the site for 24 hours due to the company’s inaction on “hate raids.” Public reaction to the leak has focused on the massive earnings of popular gamers — which reached the millions for some. In an interview with BBC News, Fortnite streamer BBG Calc confirmed that his earnings in the leak were correct and other high earners backed it up. There was also a significant amount of business information from Amazon released in the hack, including the company’s plans for a rival to gaming platform Steam called Vapor.Others raised severe concerns about the security of the platform and the many bank accounts connected to it. SocialProof Security CEO Rachel Tobac warned streamers to ensure their financial services have the strongest MFA available because they will now be targets for other hackers and scammers.”For streamers with payout data leaked, this includes Venmo, CashApp, Bank, etc. If hardware based MFA is an option, move to that by end of day (though many banks still don’t offer security key options). If security key not an option, move to app-based MFA rather than SMS-based,” Tobac wrote. “Intruders supposedly leaked Twitch internal red team tools & threat models — brutal. If true, this would likely include phishing lures known to be successful against Twitch employees, the hacking playbook. If you work at Twitch, be politely paranoid about messages, requests, etc.”F-Secure researcher Jarno Niemela said password hashes have leaked, so all users should change their passwords and use 2FA if they are not doing so already. “But as the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked,” Niemela added. All of Twitch’s red team security measures are now widely available, providing hackers with untold information about how to invade the company and those connected to it, she added. Among the files leaked, experts were focused on the folders “core config packages,” “devtools,” (developer tools) “infosec,” (information security). James Chappell, co-founder of Digital Shadows, said one of Twitch’s internal GitHub repositories was stolen in the attack.The leaked data was made available through torrents shared as magnet links. The data set appears to be comprehensive. It has also been labeled as a ‘part 1,’ which suggests that there is more to come. Whilst user data does not currently appear to be in the archive, users on the forum are speculating as to what may follow,” Chappell said. “There appears to be evidence that the original files came from an internal GitHub server, git-aws.internal.justin.tv, was at least part of the breach. Justin.tv was the name of a company that eventually transformed into Twitch. It rebranded as twitch in 2011 – so this looks like a long-standing piece of infrastructure.”Security experts like ThreatModeler CEO Archie Agarwal described the hack as “as bad as it could possibly be” and questioned how someone managed to exfiltrate 128 GB “of the most sensitive data imaginable without tripping a single alarm.” More

You would think that the method of protecting Chrome browsing would be the same for Chrome as for Chromebooks. After all, Chromebooks are pretty much machines designed to run Chrome. But there are differences, and we’ll discuss that in this article.

ZDNet Recommends

The best Chromebooks 2021

Not everyone needs a MacBook or a Windows 10 laptop. These Chromebook laptops feature low prices and long battery lives.

Read More

Desktop Chrome on PCs and Macs is best protected by VPN applications designed for those operating systems. We’ve done closer look articles into both of those categories, which should help.  See:  Essentially, you’re installing a VPN application that runs in the background and protects all network traffic. Chrome extensions are available for most of the popular VPN services that allow you to turn on and off features, and provide some added WebRTC protections.  For iOS and Android, users also will install a device-wide application. Mobile Chrome doesn’t support extensions, so your device-based app is your best defense. If you want to protect a Chromebook, the Chrome browser extension isn’t enough. The way most VPN vendors recommend you protect your Chromebook is by installing their Android app. Android apps now run on most modern Chromebooks, but older Chromebooks don’t have that capability. Be sure to check each vendor’s compatibility list. Once you install their Android app on the Chromebook, you’re generally protected. Finally, for Linux devices running Chrome, some vendors offer a Linux binary, but the most common method is to install VPN software on a router, and then run all traffic through that router. That doesn’t help for mobile Linux users, but it’s a start.

Let’s take a look at four of our favorite VPN services and see how they do with Chrome and Chromebook.

Chromebook Compatibility: See full list hereSimultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataServers: 1,500 Locations: 75Trial/MBG: 30 dayIPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.Also: My in-depth review of IPVanishIts UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.

Chromebook Compatibility: See full list hereSimultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsCountries: 94Locations: 160Trial/MBG: 30 daysExpressVPN has been burning up the headlines with some pretty rough news. We’ve chosen to leave ExpressVPN in this recommendation, and I wouldn’t necessarily dismiss ExpressVPN out of hand because of these reports, but it’s up to you to gauge your risk level. The best way to do that is read our in-depth analysis:ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. Platforms include Windows, Mac, Linux, routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch.Must read:With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.Exclusive offer: Get 3 extra months free.

Simultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataCountries: 59Servers: 5517Trial/MBG: 30 dayAlso: How does NordVPN work? Plus how to set it up and use itNordVPN is one of the most popular consumer VPNs out there. Last year, Nord announced that it had been breached. Unfortunately, the breach had been active for more than 18 months. While there were failures at every level, NordVPN has taken substantial efforts to remedy the breach.Also: My in-depth review of NordVPNIn our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.Also: My interview with NordVPN management on how they run their servicePerformance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.

Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.Must read:Surfshark’s performance was higher than NordVPN and Norton Secure VPN, but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.

I’m running a VPN app. Do I still need a Chrome extension?

The answer will differ a bit from vendor to vendor, but generally the Chrome extension will give you in-browser control over your app. More important is that sometimes sites using WebRTC can punch through the VPN’s tunnel and grab your actual IP address. Chrome extensions can usually block that behavior.

If I have a Chrome VPN extension, do I need a full app?

Yes, because Chrome extensions only work in Chrome. If you are doing anything else on a network that’s outside of your browser, Chrome’s extensions won’t catch it.

How can I stay protected if my older Chromebook doesn’t support Android apps?

The answer to this is much like the answer to anyone asking how to stay protected on old gear: sometimes you can’t. If your gear can’t keep you safe online, either don’t go online or upgrade your gear. Sorry, but the cost of an upgrade is far less than the damage that can be caused if you’re a victim of identity theft.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Now that the world is open to travel again, digital nomads (and those learning skills suitable for remote work) are dying to start working in exotic locations. But private browser windows just aren’t enough anymore. Only a maximum strength virtual private network will ensure your privacy and the security of your data. IPVanish VPN will do that and more, and a 2-Yr Subscription is currently available at over 70% off for just $69.99.

Once you connect to IPVanish, all of your online activities will be routed through an encrypted tunnel, ensuring your privacy remains absolute. The entire time you browse the web, stream video, send messages, and everything else, your IP address is thoroughly concealed, even from the company itself. IPVanish guarantees a zero-logs policy on all of your apps. In fact, even automatic diagnostics won’t be performed. In addition to keeping your online presence private, IPVanish offers 256-bit AES encryption to keep your data perfectly safe. No need to worry anymore about hackers and snoops on public WiFi networks. And unlike a lot of other VPNs, you won’t have to sacrifice speed in order to stay safe. With IPVanish, you’ll get completely unmetered bandwidth and unthrottled speed on an unlimited number of devices. You’ll also get access to over 1,900 servers in more than 75 locations, which means geo-restrictions are a thing of the past, as well. From now on, you can watch all your favorite content from wherever you happen to be without getting that irritating message saying it’s not available in your particular location. Best of all, this all happens seamlessly. There are user-friendly apps for all platforms, no matter which device you’re using. But if you do happen to run into any issues, IPVanish offers 24/7 customer support. Users and reviewers both find IPVanish quite satisfactory. The app has a 4.5 out of 5 stars rating on Apple’s App Store, and TechRadar has this to say: “US-based IPVanish is an appealing VPN provider with a long list of features, including several that you won’t often see elsewhere.”

To surf the web securely without a trace, on a speedy connection from absolutely anywhere, grab a 2-year subscription to IPVanish today for only $69.99, a 73% discount off the usual $263 price.

ZDNet Academy More

Box on Wednesday announced new, major integrations with Microsoft and Slack, as well as a series of product updates that include new, AI-driven malware protection. Box rolled out the updates during its annual BoxWorks conference, following a turbulent year that has ramped up cloud-based content management and collaboration expectations.  “This past year and a half, everything we’ve been doing has been consistent with our long-term vision,” Box CEO Aaron Levie said to ZDNet. “But the rate of change and number of things we’re doing vastly exceeds what we would’ve imagined.” 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

For instance, Levie said, strong customer demand drove Box’s entry into the e-signature market — something he didn’t necessarily foresee happening a few years ago, he said. “But because of COVID-19, everyone’s moving to digital workflows, and we’re now entering a multi-billion dollar category.” After acquiring SignRequest for $55 million in February, Box released its native e-signature feature, Box Sign, to a subset of users in July. This week, Box is rolling it out to all US users.  “Fundamental patterns of work are evolving because of this hybrid nature of working in different locations,” Levie said. “It’s affecting our entire product roadmap.”  The accelerated move to digital work also spurred a spike in ransomware attacks. To respond to the problem, Box is adding new capabilities to Box Shield, the company’s flagship security control and threat detection solution. The new malware deep scan capability scans files in near real-time as they are uploaded to Box. It uses deep learning technology and external threat intelligence to analyze the data within files and contain malware. The feature is designed to minimize disruptions to workflows. Admins, for instance, can occasionally override threat verdicts for low-risk content.
Box
Box also announced improved, machine learning-powered alerts in Box Shield, as well as more detailed alerts for admins that explain why certain behaviors are deemed risky. 

Over time, Levie said, Box plans to add more features to Box Shield that will help customers with rollbacks in the event of an attack, as well as features to prevent ransomware from getting into different file environments.  In addition to updating Box Shield, Box is revamping Box Notes with more collaboration features. The improved product will let users add a table of contents, anchor links, and more to simplify content organization and navigation within a Box Note. It will also include call-out boxes so users can better highlight content, code blocks to simplify the technical collaboration process, and in-line cursors to help keep track of edits in real-time. It will also feature new security and control capabilities, like granular permissions and access stats. The updated Box Notes is expected to be generally available in January 2022 and will be included in the core Box offering at no additional cost. Meanwhile, the Box mobile app is getting a new Capture Mode, for iOS and Android, for seamlessly capturing, scanning, and uploading photos, audio, or documents. This should make it easier for field teams to add content directly into Box. The app is also getting Optical Character Recognition (OCR) technology that recognizes text automatically and turns scanned documents into searchable PDFs. The new OCR feature includes multi-language support. There will also be a redesigned iPad experience with a simplified layout.  In terms of integrations, Box for Microsoft Office will now enable real-time co-authoring on the Office desktop, and mobile apps (including Microsoft Word, Excel and Powerpoint) with all edits automatically saved to Box. Meanwhile, an updated Box for Microsoft Teams integration will allow customers to default to Box as a storage option in Teams. Box and Microsoft have hundreds of thousands of joint customers. The enhanced Box for Microsoft Office integration is expected to be available in early 2022, and the Teams integration is expected to be available by the end of the year.  Box is also deepening its integration with Slack, so users can make Box the content layer in Slack by uploading files directly to Box through the Slack interface. They can maintain Box’s security and compliance standards, even when files are uploaded through Slack. The new capabilities are expected to be available later this year and will be included in the core Box offering. More

Victims of ransomware attacks who choose to pay a ransom to cyber criminals for the decryption key could have to publicly disclose that a payment was made within 48 hours of doing so. The Ransom Disclosure Act proposed by US Senator Elizabeth Warren and Representative Deborah Ross would require organisations which fall victim to ransomware attacks and pay the ransom to detail information about the payment. Information about ransom payments which would have to be disclosed include the amount of ransom demanded and paid, the type of currency used to pay the ransom – commonly paid in Bitcoin – and any known information about the attackers demanding the ransom. The information would have to be disclosed to the Department of Homeland Security (DHS) within 48 hours of the payment being made. The aim of the bill is to provide DHS with better information about ransomware attacks to help counter the threat they pose to businesses and other organisations across the United States. “Ransomware attacks are skyrocketing, yet we lack critical data to go after cyber criminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cyber criminals are siphoning from American entities to finance criminal enterprises — and help us go after them.” SEE: A winning strategy for cybersecurity (ZDNet special report)The threat of ransomware has loomed large throughout this year and several incidents have had a direct impact on people’s daily lives. The Colonial Pipeline ransomware attack led to a shortage of gas in the North Eastern United States as people rushed to stockpile – the company paid cyber criminals millions of dollars in order to get the decryption key. 

Meat processor JBS USA paid an $11 million ransom to cyber criminals after falling victim to a ransomware attack in June. While the FBI discourages the payment of ransoms, many victims feel the need to make the payment, perceiving it as the quickest way to get the network up and running again.  But even with the correct decryption key, restoring the network can still be a slow and arduous process. Many victims are also coerced into making the ransom payment because ransomware cyber criminals steal sensitive information from the network before encrypting it and threaten to leak the data if they’re not paid. But it’s because victims regularly give into extortion demands that ransomware is still so lucrative and attractive for cyber criminals.  “Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure. Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” said Congresswoman Ross. “The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation,” she added. Currently, the Ransomware Disclosure Act is just a proposal. In order become legislation it will have to be approved by both the House of Representatives and the Senate before it could be signed into law by President Biden. MORE ON CYBERSECURITY More

Developers behind the Apache HTTP Server Project are urging users to apply a fix immediately to resolve a zero-day vulnerability. 

According to a security advisory dated October 5, the bug is known to be actively exploited in the wild. Apache HTTP Server is a popular open source project focused on the development of HTTP server software suitable for operating systems including UNIX and Windows. The release of Apache HTTP Server version 2.4.49 fixed a slew of security flaws including a validation bypass bug, NULL pointer dereference, a denial-of-service issue, and a severe Server-Side Request Forgery (SSRF) vulnerability.  However, the update also inadvertently introduced a separate, critical issue: a path traversal vulnerability that can be exploited to map and leak files.  Tracked as CVE-2021-41773, the security flaw was discovered by Ash Daulton of the cPanel security team in a change made to path normalization in the server software.  “An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the developers say. “If files outside of the document root are not protected by “Require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.”

Positive Technologies has reproduced the bug and Will Dormann, vulnerability analyst at CERT/CC, says that if the mod-cgi function is enabled on Apache HTTP Server 2.4.49, and the default Require all denied function is missing, then “CVE-2021-41773 is as RCE [remote code execution] as it gets.” CVE-2021-41773 only impacts Apache HTTP Server 2.4.49 as it was introduced in this update and so earlier versions of the software are not impacted.  Yesterday, Sonatype researchers said that approximately 112,000 Apache servers are running the vulnerable version, with roughly 40% located in the United States.  The vulnerability was privately reported on September 29 and a fix has been included in version 2.4.50, made available on October 4. It is recommended that users upgrade their software builds as quickly as possible.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More