Information Technology

Twitter is rolling out a new feature called Safety Mode that temporarily blocks certain accounts for seven days if they are found insulting users or repeatedly sending hateful remarks.The feature will only be available to a small group of English-language users on iOS, Android and Twitter.com, the company explained in a blog post on Wednesday. Users will also be blocked if they are sending “repetitive and uninvited replies or mentions,” according to Twitter senior product manager Jarrod Doherty. “When the feature is turned on in your Settings, our systems will assess the likelihood of a negative engagement by considering both the Tweet’s content and the relationship between the Tweet author and replier,” Doherty said. “Our technology takes existing relationships into account, so accounts you follow or frequently interact with will not be autoblocked. Authors of Tweets found by our technology to be harmful or uninvited will be autoblocked, meaning they’ll temporarily be unable to follow your account, see your Tweets, or send you Direct Messages.”A screenshot of what Safety Mode will look like. 
Twitter

Read more about Twitter

Doherty added that unwelcome Tweets have gotten in the way of the kinds of conversations Twitter wants its users to continue having, prompting the creation of the Safety Mode tool and other features added in recent years to protect people. Users can learn more about the Tweets and accounts that were flagged by Safety Mode and will receive a notification once the Safety Mode ban period is about to end. Twitter will also send a recap of the situation before the period ends. 

“We won’t always get this right and may make mistakes, so Safety Mode autoblocks can be seen and undone at any time in your Settings. We’ll also regularly monitor the accuracy of our Safety Mode systems to make improvements to our detection capabilities,” Doherty explained. “We want you to enjoy healthy conversations, so this test is one way we’re limiting overwhelming and unwelcome interactions that can interrupt those conversations. Our goal is to better protect the individual on the receiving end of Tweets by reducing the prevalence and visibility of harmful remarks.” In recent years, Twitter has worked with human rights groups and mental health organizations to get feedback about their platform and changes that need to be made to better protect users from discrimination, racism, sexism and other issues that have become rampant on the site. 

Read this

Twitter files for IPO: By the numbers

Twitter’s initial public offering seeks to raise over $1 billion as it aims to go public on the U.S. stock exchange. Here’s the filing broken down into number-by-number morsels.

Read More

Twitter also created a Trust and Safety Council that they said pushed for certain changes to Safety Mode that would make it less likely to be manipulated. The council also nominated certain Twitter accounts to join the inaugural group of users that will have access to Safety Mode, with a particular emphasis being put on providing the tool to people from marginalized communities and female journalists.Digital human rights group Article 19 — which is a member of the Trust and Safety Council — said it provided feedback on Safety Mode “to ensure it entails mitigations that protect counter-speech while also addressing online harassment towards women and journalists.””Safety Mode is another step in the right direction towards making Twitter a safe place to participate in the public conversation without fear of abuse,” Article 19 said in a statement.Doherty noted that Twitter has taken part in other discussions about ways women can customize their experience on the site through tools like Safety Mode and others. Twitter will see how the tool is used and make adjustments as it rolls it out the larger Twitter user base.The site has been making changes in recent months to cut down on the disinformation and abuse that have caused outrage among users for many years. In August, the site announced that it was conducting a test that would allow users in the US, South Korea and Australia to report misleading tweets, which have gained prominence during the COVID-19 pandemic and subsequent vaccine rollout. More

×apple-wallet-id.pngApple is working with eight states to bring state IDs and driver’s licenses to Apple Wallet in a move that could make airport check-ins easier. The company said that Arizona, Connecticut, Georgia, Iowa, Kentucky, Maryland, Oklahoma and Utah will be bringing their IDs to Apple Wallet for display on the iPhone and Apple Watch. Apple is pushing Apple Wallet to be an ID repository with plans to add student IDs, corporate badges, hotel keys and other items. Arizona and Georgia will be the first states to enable residents to add their driver’s license or state ID to Apple Wallet. The Transportation Security Administration (TSA) will enable some airport security checkpoints and lanes to allow customers to use Apple Wallet for their ID and pass through with a phone tap. Specific dates about the Apple Wallet rollout for IDs will be shared by TSA and participating states. The process goes like this:A consumer would add an ID or license to Apple Wallet as they would a credit card or transit pass. If paired with an Apple Watch, the consumer could add the ID to the Apple Watch. The consumer would be asked to use their iPhone to scan their physical driver’s license or state ID card and take a selfie that would be provided to the state for verification. For additional security, customers will be prompted to complete a series of facial and head movements. The issuing state would then verify the IDs to be added to Apple Wallet. Once added, the TSA will be able to accept IDs with a tap at the identity reader. Using Face ID or Touch ID, the identity information being asked for is shared.Apple also said there are privacy features including:Apple and the issuing states don’t know when or where the IDs are presented. ID data is encrypted and protected with biometric authentication. ID information is presented through encrypted communication between the device and identity reader. Find My app can lock, locate and erase misplaced devices.  More

Most businesses are struggling to identify and detect early indicators that could suggest an insider is plotting to steal data or carry out other cyberattacks. Research by security think tank the Ponemon Institute and cybersecurity company DTEX Systems suggests that over half of companies find it impossible or very difficult to prevent insider attacks. These businesses are missing indicators that something might be wrong. Those include unusual amounts of files being opened, attempts to use USB devices, staff purposefully circumventing security controls, masking their online activities, or moving and saving files to unusual locations. All these and more might suggest that a user is planning malicious activity, including the theft of company data. SEE: A winning strategy for cybersecurity (ZDNet special report) Insider threats can come in a number of forms, ranging from employees who plan to take confidential data when they leave for another job, to those who are actively working with cyber criminals, potentially even to lay the foundations for a ransomware attack. In many cases, an insider preparing to carry out an attack will follow a set pattern of activities including reconnaissance, circumvention, aggregation, obfuscation and exfiltration, all of which could suggest something is amiss. But businesses are struggling to detect the indicators of insider threat in each of these stages because of a lack of effective monitoring controls and practices. 

“The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception,” said Larry Ponemon, chairman and founder of the Ponemon Institute. Many security professionals are already familiar with Lockheed Martin’s Cyber Kill Chain and the MITRE ATT&CK Framework, both of which describe the various stages of an attack and the tactics utilized by an external adversary, he said. But since human behavior is more nuanced than machine behavior, insider attacks follow a slightly different path and, therefore, require modern approaches to combat.Just a third of of businesses believe they’re effective at preventing data from being leaked from the organisation.According to the research, one of the key reasons insider threats aren’t being detected is because of confusion around who is responsible for controlling and mitigating risks. While 15% of those surveyed suggested that the CIO, CISO or head of the business is responsible, 15% suggested that nobody has ultimate responsibility in this space – meaning that managing and detecting the risks and threats can fall between the cracks. There are several factors that make detecting cybersecurity risks – including insider threats – difficult. Over half of businesses cite lack of in-house expertise in dealing with threats, while just under half say there’s a lack of budget, and the shift to remote working has also made it harder to mitigate cybersecurity risks. SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackAccording to Ponemon and DTEX, the best way for companies to improve their ability to detect insider threats is to improve the security posture of the business, as well as designating a clear authority for controlling and mitigating this risk – one that can investigate activities that could suggest a potential insider attack. “Our findings indicate that in order to fully understand any insider incident, visibility into the nuance and sequence of human behavior is pivotal,” said Rajan Koo, chief customer officer at DTEX Systems. “Organisations need to take a human approach to understanding and detecting insider threats, as human elements are at the heart of these risks,” he added. MORE ON CYBERSECURITY More

It has been two years since the emergency of Mozi, and despite the arrest of its alleged author, the botnet continues to spread. 

Mozi was discovered in 2019 by 360 Netlab, and in the two years since, has grown from a small operation to a botnet that “accounted for an extremely high percentage of [Internet of Things] IoT traffic at its peak.” According to Netlab (translated), Mozi has accounted for over 1.5 million infected nodes, of which the majority — 830,000 — originate from China.  Mozi is a P2P botnet that uses the DHT protocol. In order to spread, the botnet abuses weak Telnet passwords and known exploits to target networking devices, IoT, and video recorders, among other internet-connected products.  The botnet is able to enslave devices to launch Distributed Denial-of-Service (DDoS) attacks, launch payloads, steal data, and execute system commands. If routers are infected, this could lead to Man-in-The-Middle (MITM) attacks. Earlier this month, Microsoft IoT security researchers said that Mozi has evolved to “achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE” by adapting its persistence mechanisms depending on each device’s architecture. In July, Netlab claimed that the cybersecurity firm had assisted law enforcement to arrest the alleged developer of Mozi, and therefore, “we don’t think it will continue to be updated for quite some time to come.” 

However, the botnet lives on, and on Tuesday, the company has provided its opinion on why.  “We know that Mozi uses a P2P network structure, and one of the “advantages” of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices,” Netlab says. “That is why we can still see Mozi spreading.” According to the team, alongside the main Mozi_ftp protocol, the discovery of malware using the same P2P setup — Mozi_ssh — suggests that the botnet is also being used to cash in on illegal cryptocurrency mining. In addition, users are harnessing Mozi’s DHT configuration module and creating new, functional nodes for it, which the team says allows them to “quickly develop the programs needed for new functional nodes, which is very convenient.” “This convenience is one of the reasons for the rapid expansion of the Mozi botnet,” Netlab added.  The team also said that in a sample of the botnet dubbed v2s, captured last year, suggests that updates to Mozi have been focused on separating control nodes from “mozi_bot” nodes, as well as improving efficiency. It may be that these changes were made by the authors to lease the network to other threat actors. “The Mozi botnet samples have stopped updating for quite some time, but this does not mean that the threat posed by Mozi has ended,” the researchers say. “Since the parts of the network that are already spread across the internet have the ability to continue to be infected, new devices are infected every day.” Netlab predicts that that week-by-week, the size of the botnet will gradually decrease, but it is likely that the impact of Mozi will be felt for some time to come.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cream Finance has lost over $34 million in cryptocurrency after a cyberattacker exploited a vulnerability in the project’s market system. 

The decentralized finance (DeFi) organization is the developer of a lending protocol for individuals, with yields on offer for some cryptocurrency stakes. Assets on the platform include Ethereum (ETH), the AMP token, CREAM token, USDT, and COMP.Cream said an attacker managed to exploit a vulnerability on August 31, leading to the theft of 462,079,976 in AMP ($24.2m) tokens and 2,804.96 ETH tokens ($9.9m), according to an update posted on September 1.At current prices, this amounts to over $34 million.  In an analysis of the attack, with the assistance of PeckShield, Cream said an error in how the platform integrated AMP, leading to a reentrancy bug, was the source of the exploit.  “While unfortunate and disappointing, we take ownership of the error,” the developers say.  Cream is now working with law enforcement to try and trace the attacker — or, attackers, as the platform says a “copycat” was also in play at the time of the main attack. The second individual has a transaction history with Binance.

The organization has paused AMP supply and borrow functions until a patch can be deployed. The stolen ETH and AMP will be replaced, with 20% of protocol fees now earmarked to repay customers.  Cream says that if the attacker is willing to return the stolen cryptocurrency, they can keep 10%, without any consequences as a form of bug bounty payment. However, if others are able to provide a lead on the identity of the cyberattacker leading to their arrest and/or prosecution, 50% of the value of the stolen funds is on offer. as a reward  If neither offer is successful, “we will forward all relevant information to law enforcement authorities and prosecute to the fullest extent of the law,” the company says.This is not the first time Cream has fallen foul of a cyberattack. In February, the platform lost $37.5 million due to a flash loan exploit made via IronBank.  Earlier this month, DeFi platform Poly Network said an attacker exploited a vulnerability in the platform to siphon away roughly $610 million in cryptocurrency, including BSC and ETH. The thief has since returned the funds and is signed off as “Mr. White Hat” in Poly blog posts.  The company has returned assets to its rightful owners and is currently in the process of restoring cross-chain services.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Native English speakers are being recruited in their droves by criminals trying to make Business Email Compromise (BEC) more effective. 

BEC schemes can be simple to execute and among the most potentially devastating for a business, alongside threats such as ransomware.  A BEC scam will usually start with a phishing email, tailored and customized depending on the victim. Social engineering and email address spoofing may also be used to make the message appear to originate from someone in the target company — such as an executive, the CEO, or a member of an accounts team — in order to fool an employee into making a payment to an account controlled by a criminal.  In some cases, these payments — intended to pay an alleged invoice, for example — can reach millions of dollars. In 2020, US companies alone lost roughly $1.8 billion to these forms of cyberattack.  Little technical knowledge is required to pull off a BEC scam, however, threat actors need to be able to communicate effectively in order to succeed in these endeavors — and if they are not fluent in the language a target speaks, this can cause BEC attacks to ultimately fail.  Unfortunately, there are ways to plug this gap in expertise: recruit a native language speaker from the underground.  According to Intel 471, forums are now being used to seek out English speakers, in particular, to bring together teams able to manage both the technical aspects and social engineering elements of a BEC scam. 

Over the course of 2021, threat actors have posted ‘wanted’ adverts on a popular Russian-speaking cybercriminal forum asking for native English speakers, later tasked with managing email communication that would not raise red flags to members of a high-level organization, as well as to manage the negotiation aspect of a BEC operation. If a scam is to succeed, the target employee must believe communication comes from a legitimate source — and secondary language use, spelling mistakes, and grammatical issues could all be indicators that something isn’t right, in the same way that run-of-the-mill spam often contains issues that alert recipients to attempted fraud.  “Actors like those we witnessed are searching for native English speakers since North American and European markets are the primary targets of such scams,” the researchers say.In addition, threat actors are also trying to recruit launderers to clean up the proceeds from BEC schemes, often achieved through cryptocurrency mixer and tumbler platforms. One advert spotted by the team asked for a service able to launder up to $250,000.  “The BEC footprint on underground forums is not as large as other types of cybercrime, likely since many of the operational elements of BEC use targeted social engineering tactics and fraudulent domains, which do not typically require technical services or products that the underground offers,” Intel 471 says. “[…] Criminals will use the underground for all types of schemes, as long as those forums remain a hotbed of skills that can make criminals money.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

CISA and the FBI have released an advisory warning of potential cyberattacks that may occur over the coming Labor Day weekend, noting that in recent years hackers have launched dozens of devastating attacks on long weekends. They urged organizations to take steps to secure their systems, reduce their exposure and potentially “engage in preemptive threat hunting on their networks to search for signs of threat actors.”Eric Goldstein, executive assistant director for Cybersecurity at CISA, said ransomware “continues to be a national security threat” but noted that the challenges presented by potential attacks are “not insurmountable.” “With our FBI partners, we continue to collaborate daily to ensure we provide timely, useful and actionable advisories that help industry and government partners of all sizes adopt defensible network strategies and strengthen their resilience,” Goldstein said. “All organizations must continue to be vigilant against this ongoing threat.”

Kaseya attack

He urged organizations not to pay ransoms in the event of a ransomware attack and said CISA or local FBI field offices should be contacted before any decisions are made. CISA noted that there is generally an increase in “highly impactful ransomware attacks” that occur on holidays and weekends, noting the devastating Kaseya attack that took place on July 4. CISA said it does not have specific threat intelligence indicating attacks are imminent but explained that threat actors know IT teams are limited on holiday weekends and listed a number of attacks that took place on holidays this year. 

They cited the Mother’s Day weekend attack in May by the DarkSide ransomware group on Colonial Pipeline and the Memorial Day weekend attack on major meat processor JBS by the Sodinokibi/REvil ransomware group. REvil then hit Kaseya on July 4, continuing the holiday attack trend. 

more coverage

“The FBI’s Internet Crime Complaint Center, which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime — a record number — from the American public in 2020, with reported losses exceeding $4.1 billion,” the advisory said. “This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.”  The FBI added that over the last month, the most frequently reported attacks involved ransomware groups like Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin and Crysis/Dharma/Phobos. More ransomware groups are also coupling the encryption of IT assets with the secondary extortion of organizations with stolen sensitive or proprietary data, according to the notice. CISA added that ransomware groups are increasingly deleting backups and adding other tactics to make attacks more devastating. The most common initial access vectors involve phishing and brute forcing unsecured remote desktop protocol endpoints, according to CISA. Ransomware gangs are also using dropper malware, exploiting vulnerabilities and taking advantage of stolen credentials. At times, ransomware actors spend weeks inside a system before launching an attack — typically on weekends or holidays — so CISA urged IT leaders to proactively search their systems for potential points of access. Suspicious traffic patterns and strange access locations may help tip off IT teams of the potential for an attack, CISA noted. IT leaders, like ThycoticCentrify vice president Bill O’Neill, said malicious actors often know that long weekends mean there will be a delayed response or an unprepared ‘skeleton crew’ that simply doesn’t have the resources to simultaneously monitor for and deter threats fast enough. “Or threats will be monitored, trigger automatic alerts, and enforce certain lockdowns, but often those still require human action for mitigation and additional security controls,” O’Neill said. “And because most organizations would prefer to have their data released immediately rather than wait out the duration of a holiday weekend (and incur continued reputational damage), they’re also more likely to negotiate with attackers and pay out the requested ransom to minimize long term risks associated with these attacks.”Lookout senior manager Hank Schless added that hackers know people may be traveling and not able to access their work computer or mobile device in order to help stop an attack once they receive an alert of suspicious activity. Attackers have already become much more advanced in how they gain entry to an organization’s infrastructure — even when teams are fully staffed up and working, Schless told ZDNet.  Jake Williams, CTO at BreachQuest, explained that most ransomware attacks seen today could be easily discovered before encryption by following the guidance from CISA. “This is especially true for reviewing logs. Threat actors could certainly perform lateral movement while staying out of logs, but with the plethora of potential victims with horrible cyber hygiene there’s currently no need to do so,” Williams said, adding that extremely basic levels of cybersecurity hygiene and monitoring are enough to achieve early detection of today’s ransomware adversaries.Tripwire vice president Tim Erlin put it succinctly: “Attackers don’t take the weekends off, and neither should your cybersecurity.” More

Crowdstrike on Tuesday published its second quarter financial results, beating market estimates with solid growth from subscription customers. The cybersecurity company added 1,660 net new subscription customers in the quarter for a total of 13,080 subscription customers as of July 31. That represents 81% year-over-year growth. Subscription revenue was $315.8 million, a 71% increase. Crowdstrike’s total Q2 revenue was $337.7 million, a 70% increase over a year prior. Non-GAAP net income came to $25.9 million or 11 cents per share. Analysts were expecting earnings of 9 cents per share on revenue of $323.16 million. “CrowdStrike delivered an outstanding second quarter with rapid subscription revenue growth and record net new ARR generated in the quarter,” CEO and co-founder George Kurtz said in a statement. “The success of our platform strategy and our growing brand leadership have led to a groundswell of customers turning to CrowdStrike as their trusted security platform of record. We believe that our extensible Falcon platform, purpose-built to leverage the power of the cloud, collecting data once and reusing it many times, is a fundamental cornerstone to building a durable growth business over the long-term.” Crowdstrike’s annual recurring revenue (ARR) increased 70% year-over-year and grew to $1.34 billion as of July 31. Of that, $150.6 million was net new ARR added in the quarter. In addition to adding a record number of net new subscribers in the quarter, Crowdstrike reported solid growth in the portion of subscribers adopting multiple modules. CrowdStrike’s subscription customers that have adopted four or more modules, five or more modules and six or more modules increased to 66%, 53%, and 29%, respectively, as of July 31. 

For the third quarter, the company expects total revenue in the range of $358 million to $365.3 million.

Tech Earnings More