Information Technology

BLACK HAT USA: When a company becomes the victim of a cyberattack, executives are faced with a tsunami of challenges: containing a breach, remediation, informing customers and stakeholders, identifying those responsible, and conducting a forensic analysis of the incident — to name but a few.

Black Hat USA

However, it is not just the real-world issues faced, in the now, that businesses have to tackle: the legal ramifications of a security incident have become more important than ever to consider. Speaking to attendees at Black Hat USA in Las Vegas, Nick Merker, partner at Indianapolis-based legal firm Ice Miller LLP said that before becoming a lawyer, he worked as an information security professional — and this experience allowed him to transition into the legal field through a cybersecurity lens. After being involved in the legal side of over 500 security incidents, including everything from the theft of a laptop to major ransomware incidents, Merker said that many of the pitfalls he experienced could have been “easily avoided with a simple conversation.”When attorneys are brought into a cybersecurity incident, they need to consider areas including data protection standards (such as HIPAA or GDPR), insurance coverage, liability, the preservation of evidence, and the potential for lawsuits and class-action claims. Robust IT systems are no longer enough to protect against the financial and reputational harm of cyberattacks, and it is up to legal teams to assist victims in making the right decisions in the aftermath. According to Merker, during a cybersecurity incident, “IT professionals and security folks, people who are not lawyers, [often] find themselves in a weird solution where they need to think like a lawyer or at least have one there.”

One of the main issues that enterprise players need to consider is attorney-client privilege. The purpose of this is to make sure a client who wants to seek advice from an attorney can say what they want and retain confidentiality — and the attorney cannot be compelled to testify against them. However, there are misconceptions surrounding this concept — not everything you say is privileged. It might be privileged communication but that doesn’t mean the subject matter is privileged, such as the disclosure of facts surrounding a data breach or cyberattack. “This does not mean that the underlying factors of a security incident are privileged,” the lawyer said. “This is an important thing to think about.”If you want to retain privilege, then you need to “paper up” and make sure there are defined lines between investigations, reports, and forensic activity. Specifically, if you want investigations to be privileged, they should be done separately and apart from ordinary business investigations.A “100 percent, separate team should be in place” and any reports on an incident should be “only used for litigation preparedness rather than as a business-outcome report,” Merker commented. In addition, it should be noted that corporations can waive privilege, but they cannot necessarily cherry-pick which areas to waive. It may be an “all or nothing” approach in some jurisdictions, and rather than “having your cake and eating it too,” attempts to do so can create further legal challenges. An example given is a document submitted in court with redactions, whereas the full document, without redactions, was provided to regulators. It may be that this attempt to partly utilize privilege could fail. In addition, privileged information should stay within protected walls. The lawyer says that if information is shared, such as through an email or by the watercooler, this could result in deposition and could be considered a waiver of privilege. Another area of legal concern relates to OFAC’s recent warning on potential sanctions when ransomware payments are approved — especially if someone ends up paying as part of a criminal chain that lands in an area with economic restrictions, such as Iran or Cuba. This can create individual or corporate liability and prompt heavy penalties — or even jail time.If you’re in a ransomware event and you need to pay the ransom in order to get back online, Merker says you should have a risk-based compliance program; a robust structure and risk assessments for whether or not you will pay a threat actor, and you should engage law enforcement immediately. This could be a significant factor determining the eventual outcome, the legal expert noted. “[Also] getting in touch with us quickly is what you want to do,” Merker added. Merker emphasised that companies more often “need to actually use an incident response plan in an incident situation,” and said that documentation should be a key focus. Timelines, logs, major decisions, and status summaries should be kept as regulators — or plaintiffs – will be asking questions, and you need to know “what you did, and why you did it.””You need to build up a story of what you actually did as a company,” Merker says. “This will also protect the chain of custody [and] you want to make sure you don’t accidentally waive privilege.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

FireEye, one of the world’s largest security firms, reported a year over year revenue growth of 8% in Q2 as the company adjusts following the sale of a major part of its business.Earnings for the quarter came to .09 cents on revenue of $248 million, an increase of $2 million compared to the first quarter of 2021.Wall Street was expecting earnings of $0.09 per share on revenue of $249.07 million. The report sent FireEye shares down 10.75% in late trading.FireEye sold its FireEye Products business to a consortium led by Symphony Technology Group for $1.2 billion on June 2, dramatically changing the company’s outlook. The all-cash deal is expected to close at the end of the fourth quarter.FireEye said that the deal separates the company’s network, email, endpoint and cloud security products from Mandiant’s software and services. FireEye Products and Mandiant Solutions will continue to be one entity until the transaction closes. Symphony Technology Group and FireEye will maintain reselling and collaboration agreements.CEO Kevin Mandia said in June that the deal was made because FireEye wants to scale its software platforms. But they projected that its products and related subscriptions and support revenue would fall 10% to 11% in 2021 compared to 2020.”The Mandiant Solutions business continued to deliver strong growth in revenue and annualized recurring revenue for the second quarter ended June 30, 2021,” Mandia said.

The earnings report was split into two parts, one that included revenue from discontinued operations and one that did not. The revenue for the continuing operations this quarter was $114 million, with a non-GAAP operating margin of negative 26 percent. There would be a non-GAAP net loss per basic share of $0.14.For the third quarter of fiscal 2021, FireEye expects non-GAAP net income between $0.05 and $0.07. It gave a revenue outlook between $118 million and $122 million. In December, the company disclosed that it was the target of a massive international cyber espionage campaign. 

Tech Earnings More

BLACK HAT USA: The adoption of double-extortion attacks against companies in ransomware campaigns is a rising trend in the space, researchers warn.

Ransomware variants are typically programs that aim to prevent users from accessing systems and any data stored on infected devices or networks. After locking victims out, files and drives will often be encrypted — and in some cases, backups, too — in order to extort a payment from the user. Today, well-known ransomware families include WannaCry, Cryptolocker, NotPetya, Gandcrab, and Locky. Ransomware now seems to make the headlines month-on-month. Recently, the cases of Colonial Pipeline and Kaseya highlighted just how disruptive a successful attack can be to a business, as well as its customers — and according to Cisco Talos, it’s likely to only become worse in the future. In 1989, the AIDS Trojan — arguably one of the earliest forms of ransomware — was spread through floppy disks. Now, automated tools are used to brute-forcing internet-facing systems and load ransomware; ransomware is deployed in supply-chain attacks, and cryptocurrencies allow criminals to more easily secure blackmail payments without a reliable paper trail.As a global issue and one that law enforcement struggles to grapple with, ransomware operators may be less likely to be apprehended than in more traditional forms of crime — and as big business, these cybercriminals are now going after large companies in the quest for the highest financial gain possible. At Black Hat USA, Edmund Brumaghin, research engineer at Cisco Secure said the so-called trend of “big game hunting” has further evolved the tactics employed by ransomware operators. 

Now big game hunting has gone “mainstream,” Brumaghin says that cyberattackers are not deploying ransomware immediately on a target system. Instead, such as in the example of typical SamSam attacks, threat actors now, more often, will obtain an initial access point through an endpoint and then move laterally across a network, pivoting to gain access to as many systems as possible. 
Cisco Talos
“Once they had maximized the percentage of the environment that was under their control, then they would deploy the ransomware simultaneously,” Brumaghin commented. “It’s one of those types of attacks where they know that organizations may be forced to pay out because of instead of a single endpoint being infected, now, 70 or 80 percent of server-side infrastructure is being impacted operationally at the same time.” After a victim has lost control of their systems, they are then faced with another problem: the emerging trend of double-extortion. While an attacker is lurking on a network, they may also rifle through files and exfiltrate sensitive, corporate data — including customer or client information and intellectual property — and they will then threaten their victims with its sale or a public leak. “Not only are you saying you only have X amount of time to pay the ransom demand and regain access to your server, if you don’t pay by a certain time, we’re going to start releasing all of this sensitive information on the internet to the general public,” Brumaghin noted.This tactic, which the researcher says “adds another level of extortion in ransomware attacks,” has become so popular in recent years that ransomware operators often create ‘leak’ sites, in both the dark and clear web, as portals for data dumps and in order to communicate with victims. According to the researcher, this is a “one-two-punch” method that is made worse now that ransomware groups will also employ Initial Access Brokers (IABs) to cut out some of the legwork required in launching a cyberattack.IABs can be found on dark web forums and contacted privately. These traders sell initial access to a compromised system — such as through a VPN vulnerability or stolen credentials — and so attackers can bypass the initial stages of infection if they are willing to pay for access to a target network, saving both time and effort. “It makes a lot of sense from a threat actor’s perspective,” Brumaghin said. “When you consider some of the ransom demands we’re seeing, in a lot of cases, it makes sense to them instead of trying to go through all the effort [..] they can simply rely on initial access brokers to give them access that has already been achieved.”Finally, Cisco’s security team has also noted an uptick in ransomware ‘cartels’: groups that sharing information and working together to identify the techniques and tactics that are most likely to result in revenue generation. Brumaghin commented: “We’re seeing a ton of new threat actors begin to adopt this business model and we continue to see new ones emerge, so it’s something organizations really need to be aware of.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

CISA director Jen Easterly announced a new cyberdefense collaborative that will see government bodies partner with Google, Microsoft, Verizon and more on protective cybersecurity measures.Easterly unveiled the initiative in an interview with the Wall Street Journal before speaking about it further at the Black Hat convention on Thursday. The newly-appointed head of CISA told the newspaper that the Joint Cyber Defense Collaborative (JCDC) will “uniquely bring people together in peacetime, so that we can plan for how we’re going to respond in wartime.”Easterly explained on Twitter that the JCDC will “share insight to shape our understanding of cyber defense challenges and opportunities, design whole-of-nation cyber defense plans to address risks, support joint exercises to improve cyber defense operations and implement coordinated defensive cyber operations.”On its website, the JCDC described its mission as leading “the development of the Nation’s cyber defense plans” as it seeks to “prevent and reduce the impacts of cyber intrusions.”They explain that the $740 billion National Defense Authorization Act (NDAA) of 2021 passed on January 1 gave them “new authority” to bring together both public and private institutions to coordinate responses to cyberattacks. Representatives from DHS, the Justice Department, United States Cyber Command, NSA, FBI as well as the Office of the Director of National Intelligence will be involved in the initiative.

Private sector companies involved in the effort include Google, Verizon, Microsoft, AT&T, Amazon Web Services, FireEye, Lumen, Crowdstrike and Palo Alto. Google Cloud CISO Phil Venables told ZDNet it is essential that the public and private sectors work together to defend against evolving threats and shore up modern IT capabilities that will protect federal, state and local governments. “We look forward to working with CISA under the Joint Cyber Defense Collaborative and offering our security resources to build a stronger and more resilient cyber defense posture,” Venables said. Shawn Henry, president of CrowdStrike Services and CSO, added that the JCDC will “create an inclusive, collaborative environment to develop proactive cyber defense strategies.””Continued collaboration between industry and government is critical to thwart today’s sophisticated attacks, and CISA’s initiative to bring the most relevant stakeholders together to defend national security is admirable. CrowdStrike is looking forward to partnering on this critical endeavor,” Henry said. An image of the partnership shared by CISA director Jen Easterly
Jen Easterly/Twitter
“The JCDC leads the development of the Nation’s cyber defense plans by working across the public and private sectors to unify deliberate and crisis action planning, while coordinating the integrated execution of these plans,” the collective explained.”The plans will promote national resilience by coordinating actions to identify, protect against, detect, and respond to malicious cyber activity targeting U.S. critical infrastructure or national interests.”JCDC will also coordinate with state level officials and other owners and operators of critical information systems. They added that “comprehensive, whole-of-nation planning” will be needed to address the wave of cybersecurity incidents facing organizations. In addition to defensive measures, the JCDC said it would also plan for “adaptive” cyber defense to deal with “adversary activity conducted in response to US offensive cyber operations.”The JCDC is one of many actions being taken by the Biden Administration to address ransomware attacks and many other headline-grabbing attacks in recent months. In addition to the new mandatory guidelines facing critical infrastructure owners, the JCDC will coordinate with them to “support the development of long-term plans to manage cyber risk and increase resilience of critical infrastructure.”During her speech at Black Hat, Easterly thanked US Senator Angus King, Congressman Mike Gallagher and the other leaders of Congress’ Cyberspace Solarium Commission for their help in setting up the JCDC. Easterly was confirmed by Congress on July 12 following a decorated career in the military. She spent more than 20 years working on the US Army’s intelligence and cyber operations and is credited with helping design and create United States Cyber Command.  More

Risk Based Security has released two new reports covering data breaches and vulnerabilities in the first half of 2021, finding that there was a decline in the overall number of reported breaches but an increase in the amount of vulnerabilities disclosed. The company’s data breach report found that there were 1,767 publicly reported breaches in the first six months of 2021, a 24% decline compared to the same period last year. The number of reported breaches grew in the US by 1.5% while 18.8 billion records were exposed year to date, a 32% decline compared to the 27.8 billion records leaked in the first half of 2020. Inga Goddijn, executive vice president at Risk Based Security said the methods used by attackers to monetize their efforts has diversified and at the same time, preventable errors are outpacing hackers when it comes to the amount of data exposed. “The amount of data compromised remains stubbornly high and with another sizable Q2 breach yet to be confirmed, it is possible that the number will climb over 19 billion in the near future,” Goddijn said. The numbers are slightly misleading though, the report notes, because the breach of Forex trading service FBS Markets accounts for about 85% of the records exposed through June 30th. The researchers added that 352 data breaches involved a ransomware attack.

The number of email addresses leaked held steady at 40% of all breaches while passwords were leaked in 33% of breaches. Healthcare organizations led the way with the most breaches in 2021 so far at 238. Finance and insurance companies suffered 194 breaches while manufacturing saw 169 and educational institutions dealt with 138.  The other report found from Risk Based Security’s VulnDB(R) team aggregated 12,723 vulnerabilities that were disclosed during the first half of 2021. They found that for the first half of 2021, the number of vulnerabilities disclosed grew by 2.8% compared to 2020.”Of the vulnerabilities disclosed during the first half of 2021, 32.1% do not have a CVE ID, and an additional 7%, while having a CVE ID assigned, are in RESERVED status which means that no actionable information about the vulnerability is yet available in CVE/NVD,” the report added. “In the first half of 2021, Risk Based Security’s VulnDB team aggregated an average of 80 new vulnerabilities per day. Risk Based Security also updated an average of 200 existing vulnerability entries per day as new solution information, references, and additional metadata became available.”Of the vulnerabilities disclosed so far in 2021, 1,425 are remotely exploitable and have a public exploit as well as a mitigating solution. Nearly 900 vulnerabilities that are remotely exploitable do not have a mitigating solution at all.One issue spotlighted by the report is the trend of organizations failing to report breaches.The COVID-19 pandemic shifted focus away from cybersecurity and there has now been a 24% decline in the number of publicly disclosed breaches when comparing data from the first half of 2020 to the first half of 2021. Despite the decline in disclosed breaches, the number of sensitive files exposed continues to grow. Between January 2021 and June 2021, more than 18 billion sensitive or confidential records were exposed, the second highest ever recorded by Risk Based Security. Of the data lost in breaches, 61% involved the exposure of names, 38% exposed social security numbers, 25% contained addresses and 22% had financial information. The reports also ranked the top ten products by vulnerability disclosures in Q2 of 2021. Debian Linux led the way with 628 followed by Fedora at 584, openSuSE Leap at 526 and 443 for Ubuntu. The top ten vendors by vulnerability disclosures in Q2 2021 included Microsoft at 627, SUSE at 590, Fedora at 584, IBM at 547 and both Oracle and Google above 500. Cisco, Canonical and Red Hat rounded out the list with more than 400 vulnerability disclosures in Q2 2021.  More

(Image: Shutterstock)
Microsoft’s Edge Vulnerability Research (VR) team is testing a new feature they’ve christened, “Super Duper Secure Mode” (SDSM). Super-Duper Secure Mode is all about making Edge more secure without negatively impacting performance.

see also

The best browsers for privacy

If you’re like most people, you’re probably using Google Chrome as your default browser. It’s hard to fault Google’s record on security and patching but privacy is another matter for the online ad giant.

Read More

SDSM works by removing Just-In-Time compilation from the V8 processing pipeline, which will reduce the attack surface that can be used to hack into Edge’s systems, as Bleeping Computer (where I first saw the SDSM information) explains. In addition to disabling the JIT, SDSM enables “new security mitigations” to make Edge a more secure browser. “JavaScript plays a key role in any browser story. JITs exist for a reason, and that is to optimize JavaScript performance,” the Microsoft browser researchers noted in their August 4 blog post about SDSM. However, so far, the researchers said they don’t see much of a change in performance with JIT disabled; most of their tests remained unchanged. By disabling the JIT, roughly half of the V8 bugs that must be fixed would be removed. This would mean less frequent security updates and fewer emergency patches for users, the researchers noted. SDSM is still considered to be in the experimental stage. Still, Edge preview testers — in the Canary, Dev and Beta rings — can enable it now with a flag by going to edge://flags/#edge-enable-super-duper-secure-mode and turning on the new feature. More

The new Google Nest Cam lineup. 
Google
Google on Thursday unveiled several new security cameras that are part of its Nest smart home lineup. There’s a new video doorbell, a floodlight camera to help you monitor your driveway or a dark side of your home, and two new Nest Cams — one that’s battery-powered and designed for use anywhere — and another that’s designed to monitor inside your home.  More

BLACK HAT USA: We need to be wary of mobile devices and IoT products, now widely abused to facilitate partner coercion, researchers have warned. 

Black Hat USA

At the Black Hat cybersecurity conference in Las Vegas this week, Lodrina Cherne, Principal Security Advocate at Cybereason and Martijn Grooten, consultant and coordinator at the Coalition Against Stalkerware said that the COVID-19 pandemic has prompted a surge in the use of stalkerware in intimate partner violence (IPV) and gender-based violence. The Coalition Against Stalkerware defines stalkerware as software, made available directly to individuals, that enables a remote user to monitor the activities on another user’s device without consent and without “explicit, persistent notification to that user in a manner that may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence.” Mobile applications and PC monitoring software come straight to mind. Unlike spyware, which may be employed to monitor indiscriminately or by government agencies and law enforcement investigations, stalkerware is generally used by individuals.Such software can be used to remotely monitor and eavesdrop on phone calls, SMS messaging, Voice over IP (VoIP) applications, GPS/location data, messaging and social media apps, and to steal images and video from an infected device. It is often the case that stalkerware is installed through physical access to a handset. However, malicious SMS messages or phishing emails may also be the infection vector, although remote installation in stalkerware is rare, Cherne noted. “They are not hidden from a forensic practitioner,” Cherne commented. “But they are hidden from the user.”

According to the duo, stalkerware is most common on Android mobile devices, whereas this form of malware is most often detected on jailbroken, unpatched, or older iOS handsets. Desktop PC stalkerware also exists, although it is not as prolific.

This malware may be marketed as employee or children monitoring services and for ‘good’ and ‘ethical’ purposes — but as it is so often hidden, stealthy, and doesn’t require continual consent, can be used in IPV or to abuse others and violate their privacy. Using technology to intimidate, spy on, or abuse someone, however, now can go beyond mobile apps. As noted by the security experts, Internet of Things (IoT) devices including Bluetooth/possession trackers, shared social media accounts, and other smart technology, for example, home security cameras, are also ripe for abuse. Even remote-controlled devices such as smart thermostats or lights, too, could be used to demonstrate power over another and can be “intimidating,” according to Grooten.According to a WESNET survey conducted in Australia, 99.3% of domestic violence practitioners have clients who have experienced technology-facilitated abuse — and the use of video cameras for this purpose, alone, has increased by 183.2% between 2015 and 2000.”Tech abuse rarely involves hacking, it instead exploits a feature of the technology — they are rarely built with IPV in mind,” Grooten added.In the United States, the Stalking Prevention Awareness & Resource Center (SPARC) says that one in four individuals experiencing domestic abuse report that technology was used in some manner. 

ZDNet Recommends

While survivors may be “hyper-vigilant,” as they have had to be to endure IPV, the suspicions or belief they are being spied upon through stalkerware should not be dismissed. “Survivors should always be taken seriously to empower them,” Grooten said. “Don’t make decisions on their behalf and try to be supportive [..] understand that this is an abuse problem, not a technical problem.” Founded in 2019, the Coalition Against Stalkerware is a group of non-profit organizations, security advocates, and cybersecurity companies working together to fight stalkerware and other forms of technological abuse in domestic violence and coercive relationships.  Participants include F-Secure, the Electronic Frontier Foundation (EFF), Kaspersky, Malwarebytes, National Network to End Domestic Violence (NNEDV), and others. Interpol also supports the scheme.  “In recent years, the problem of stalkerware has been on the rise globally,” the coalition says. “Non-profit organizations report a growing number of survivors are seeking help with stalkerware, and cybersecurity companies are detecting a consistent increase in these harmful apps.” For further information and advice, check out the coalition’s guide video below, or check out our in-depth guide here:

[embedded content]

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More