More stories

  • in

    Fortinet delivers strong Q4, bolsters FortiOS with Zero Trust Network Access

    Fortinet delivered strong fourth quarter growth and updated its FortiOS operating system with more than 300 new features including Zero Trust Network Access capabilities and tools to better secure networks and proliferating end points.
    The updates come as the company said it will focus on growth for the quarters ahead. Fortinet delivered fourth quarter revenue of $748 million, up 21% from a year ago, with net income of 89 cents a share.
    As for the fourth quarter, Fortinet’s non-GAAP earnings of $1/06 a share were above expectations. The company said demand for its security platform was strong. Wall Street was expecting Fortinet to report fourth quarter earnings of 97 cents a share on revenue of $722.4 million.
    For 2020, Fortinet delivered earnings of $2.91 a share on revenue of $2.59 billion, up 20% from a year ago. Non-GAAP earnings for 2020 were $3.35 a share.
    Ken Xie, CEO of Fortinet, said “given the many growth opportunities that lie ahead for us, we plan to shift our focus more to growth for at least the next several quarters.”
    For the first quarter, Fortinet is projecting revenue between $670 million to $685 million with non-GAAP earnings of 70 cents a share to 75 cents a share. For 2021, Fortinet is projecting revenue of $3.02 billion to $3.07 billion with non-GAAP earnings of $3.60 a share to $3.75 a share.  
    FortiOS 7.0 lands as Fortinet is aiming to create a platform that will cover data centers, clouds, edge computing end points and networks. Fortinet Security Fabric is powered by FortiOS.

    Among the key updates:
    Zero Trust Network Access for Remote Access and Application Control for FortiGate firewall customers. The Zero Trust set-up is designed to replace traditional VPNs and cut the attack surface by verifying the user and device for every application session.
    Cloud-based SASE security as a service.
    Self-healing SD-WAN tools with remediation tools that can adapt for passive application monitoring as well as various cloud deployments.
    Security for 5G and LTE.
    Adaptive cloud security to manage hybrid and multi-cloud deployments.
    Network security tools to improve efficiency and integrate with FortiManager/FortiAnalyzer.
    The FortiGuard security service with advanced tools for remote work.
    Fortinet said FortiOS 7.0 will be available at the end of the first quarter.
    Also:  More

  • in

    We need privacy and security for communications, and there’s an app for that

    Our communications need to be both private and secure. The recent uproar about WhatsApp’s changes to its privacy policy is a good reminder of that fact. While the changes had implications for consumers who use WhatsApp, the concerns also made their way into the enterprise. CISOs have seen discussions quickly morph from personal concerns about privacy to enterprise security concerns about using WhatsApp for business communications. 

    ZDNet Recommends

    The common question: Is WhatsApp “safe” to use for business communications?  Consider a follow-up question: What do we do, and what can we do, about it? 
    Understand the risks to the business to help make the case for change
    Your business is exposed to privacy, security, reputation, and compliance risks when employees use consumer tools for business purposes. If someone is targeting your organization specifically, it is useful to know that employees regularly communicate business info freely on such a channel. It likely wouldn’t be too difficult to discover if employees talk about it as a tool they use for work or encourage customers or others to use it to communicate with them. 
    Consumer apps aren’t built for business use. End-to-end encryption protects data in transit and the app provider doesn’t see the content yet data is still vulnerable on devices. Malware on phones enables hackers to read messages. Someone else picking up an employee’s phone may be able to see messages if there’s no PIN protecting access on the phone or for the app. There is also no guarantee that an individual is using two-step verification or not automatically backing up their messages to the cloud. They could also save messages to share with others outside of the company, or screenshot freely, and the recipient can do whatever they wish with them. Additionally, vertical-specific compliance guidelines, such as those of the FFIEC (Federal Financial Institutions Examination Council), may also require that you retain business-related text messages. 
    Explore how purpose-built tools for secure, private, and compliant business communications can help
    Enterprises typically already have corporate-sanctioned tools for employee communication and collaboration like Google Chat or Microsoft Teams. Sometimes, they need more. They may find that they have use cases where another purpose-built tool is better suited for their needs. For general-purpose business communications and collaboration, tools such as Wickr and Wire include messaging/chat functionality, as well as other features like videoconferencing and file sharing. Tools like KoolSpan and CellTrust enable secure voice calling and more. 
    Also: Microsoft Teams: The complete starter guide for business decision makers
    Options exist with added controls and features that make these offerings suitable for business communications. These can include capabilities such as administrative controls to revoke user access and adjust settings, encryption, the option to host on-premises or in private cloud, metadata protection, or integrations with enterprise applications. Some also offer the option of a portable phone number or use of the app independent of a mobile phone number so that employees are not using their personal phone number for business. 

    What to do next — because change doesn’t happen overnight 
    Provide clear guidance for acceptable communication tools for employees. Consider this a part of security awareness training so that employees understand the risks. This human element is the most important factor. Changing behavior is the most challenging component, especially when consumer apps are a convenient option. 
    Identify your audience, their use case, and employee requirements. Will a new tool serve a segment of the employee population, or is it meant to be used companywide? Determine if employees will need voice, text messaging, document sharing, video, or some other combination of functionality. Will you require integration with key systems (e.g., mobile device management or an archiving solution)? Clarity about these requirements in your initial planning will help narrow your shortlist of vendors and find the best fit for both your workforce and security needs. 
    Build a network of business user champions. These individuals evangelize the use of the tool internally with their peers and provide feedback from initial testing and tool selection through deployment. Target your messaging to best appeal to organizational culture and your workforce. In healthcare, this may be about promoting patient outcomes. For a manufacturer, protecting its competitive edge and reputation may resonate with employees. If no one wants to or can easily use the tool, you’re back at square one. 
    To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
    This post was written by Principal Analyst Heidi Shey, and it originally appeared here.  More

  • in

    Google paid $6.7 million to bug bounty hunters in 2020

    Image: Google
    Google said today it paid more than $6.7 million in bug bounty rewards to 662 security researchers across 62 countries for submitting vulnerability reports in Google products last year.

    The figure, up from the $6.5 million the company paid in 2019, is the company’s largest prize pool paid to security researchers to date.
    Most of last year’s bug prizes were awarded in the Chrome VRP (Vulnerabilities Rewards Program), which handed out more than $2.1 million to security researchers for 300 bugs identified in Google’s flagship browser.
    Another major VRP was the company’s Android programs. Google said it gave out $1.74 million for bugs discovered in the Android OS code and another $270,000 in the Google Play VRP for bugs found in the Play Store’s most popular and widely used Android apps.
    Among the Android VRP’s main highlights last year, Google listed the following:
    We awarded our first-ever Android 11 developer preview bonus, which paid out over $50,000 across 11 reports. This allowed us to patch the issues proactively before the official release of Android 11.
    Guang Gong (@oldfresher) and his team at 360 Alpha Lab, Qihoo 360 Technology Co. Ltd., now hold a record eight exploits (30% of the all-time total) on the leaderboard. Most recently, Alpha Lab submitted an impressive 1-click remote root exploit targeting recent Android devices. They maintain the top Android payout ($161,337, plus another $40,000 from Chrome VRP) for their 2019 exploit.
    Another researcher submitted an additional two exploits and is vying for the top all-time spot with an impressive $400,000 in all-time exploit payouts.
    We launched a number of pilot rewards programs to guide security researchers toward additional areas of interest, including Android Auto OS, writing fuzzers for Android code, and a reward program for Android chipsets.
    On top of these, Google also said more than $400,000 were sent to security researchers through its research grant program that the company uses to fund innovative areas of security research.
    More than 180 security researchers received grants last year, which submitted back 200 bug reports that yielded 100 confirmed vulnerabilities in Google products and the open-source ecosystem.

    This year will mark the Google VRP’s 10th anniversary. More

  • in

    SoloKeys Solo V2

    Netgear BR200 small-business router

    The
    Netgear
    BR200
    Insight
    Managed
    Business
    Router
    has
    been
    designed
    to
    be
    easy
    to
    set
    up,
    and
    features
    a
    built-in
    firewall,
    VLAN
    management,
    and
    remote
    cloud
    monitoring,
    and
    can
    be
    More

  • in

    SoloKeys Solo V2: Open source two-factor authentication security keys

    Two-factor authentication security keys are now all the rage. If you care about security, then you have at least a couple of them on keyrings with you at any one time. The Solo V2, currently on offer via Kickstarter, brings some new features to these must-have items.
    On the face of it, they look like any other two-factor authentication security keys on the market but look closer, and there are some interesting features.
    Must read: Best security keys in 2021

    First up, they are robust. The guts are encapsulated in epoxy resin, making them durable and hard to tamper with.
    Then there’s the reversible connector, a really useful feature for the USB-A version since you can orient it in a way that the LED shows up.
    There are also three capacitive touch pads, again making the Solo V2 easy to use no matter what the orientation.
    There’s also enhanced NFC; you get more reliable wireless authentication.

    Then there’s updatable firmware that can keep the keys fully updated. As far as I’m aware, this feature is unique to SoloKeys. The firmware updates will be signed by SoloKeys, and the user will need to carry this out (so no stealthy background updates). According to Solokeys, this is more secure and much cheaper than physically replacing all your security keys.
    The Solo V2 keys also come with colorful silicon sleeves.
    The Solo V2 support FIDO2 and will work seamlessly with services such as Google, Facebook, Twitter, Dropbox, Github, and many more.
    Keys are expected to start shipping June 2021, and prices start at $34 for a single key. More

  • in

    Blockchain transactions confirm murky and interconnected ransomware scene

    Image: Geralt on Pixabay
    A report published today by blockchain investigations firm Chainalysis confirms that cybercrime groups engaging in ransomware attacks don’t operate in their own bubbles but often switch ransomware suppliers (RaaS services) in a search for better profits.

    The report analyzed how Bitcoin funds were transferred from victims to criminal groups, and how the money was divided among different parties involved in the ransomware attack, and how it was eventually laundered.
    But to understand these dynamics, a short intro into the current ransomware scene is needed. Today, the ransomware landscape is very similar to how modern businesses operate.
    There are coders who create and rent the actual ransomware strain via services called RaaS — or Ransomware-as-a-Service — similar to how most modern software is provided today.
    Some RaaS operators rent their ransomware to anyone who signs up, while others prefer to work with small groups of verified clients, which are usually called “affiliates.”
    The affiliates are the ones to usually spread the ransomware via email or orchestrate intrusions into corporate or government networks, which they later infect and encrypt with the ransomware they rented from the RaaS operator.
    In some cases, the affiliates are also multiple groups themselves. Some are specialized in breaching a company’s network perimeter, and are called initial access vendors, while some groups are specialized in expanding this initial access inside hacked networks to maximize the ransomware’s damage.

    All in all, the ransomware landscape has evolved from previous years and is now a collection of multiple criminal groups, each providing its own highly-specialized service to one another, often across different RaaS providers.
    BTC transactions show collaborations between criminal groups
    The Chainalysis report released today confirms these informal theories with undisputable and unforgeable cryptographic proof left behind by the Bitcoin transactions that have taken place among some of these groups.
    For example, based on the graph below, Chainalysis said it found evidence to suggest that an affiliate for the now-defunct Maze RaaS was also involved with SunCrypt RaaS.
    “We see that the Maze affiliate also sent funds — roughly 9.55 Bitcoin worth over $90,000 — via an intermediary wallet to an address labeled ‘Suspected SunCryptadmin,’ which we’ve identified as part of a wallet that has consolidated funds related to a few different SunCrypt attacks,” Chainalysis said.
    “This suggests that the Maze affiliate is also an affiliate for SunCrypt, or possibly involved with SunCrypt in another way.”

    Image: Chainalysis
    Similar findings also show a connection between the Egregor and DoppelPaymer operations.
    “In this case, we see that an Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected Doppelpaymer administrator wallet,” researchers said.
    “Though we can’t know for sure, we believe that this is another example of affiliate overlap. Our hypothesis is that the Egregor-labeled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators.”

    Image: Chainalysis
    And last but not least, Chainalysis researchers also found evidence that the operators of the Maze and Egregor operations also used the same money-laundering service and over-the-counter brokers to convert stolen funds into fiat currency.
    Since several security firms have suggested that the Egregor RaaS is a rebrand and continuation of the older and defunct Maze operation, such findings come to support these theories, showing how old Maze tactics permeated to the new Egregor operation.

    Image: Chainalysis
    Report confirms observations made by security firms
    “Interesting report and very much aligns with what we are seeing,” Allan Liska, a security researcher with threat intel firm Recorded Future, told ZDNet.
    “Recorded Future is seeing more fluidity in the RaaS market now than at any other time in the (admittedly short) history of the RaaS market.
    “Part of this is because of the reality that there is a growing stratification between the haves and have nots in ransomware. There are fewer actors making a lot of money, so ransomware actors are jumping from one RaaS to another to improve their chances of success,” the Recorded Future analyst said.
    Furthermore, Liska says there are other connections and overlaps between other RaaS groups, and not just Maze, SunCrypt, and Egregor.
    The Recorded Future analyst pointed to the Sodinokibi (aka REvil) RaaS operation as being one of the services where many groups overlap, primarily because the Sodinokibi administrator, an individual going by the name of Unknown, has often actively and openly recruited affiliates from other RaaS programs.
    Interconnected landscape is actually a good sign
    But while we might view these connections and overlaps as a sign of successful cooperation between cybercrime groups, Chainalysis believes that this interconnectedness is actually a good sign for law enforcement.
    “The evidence suggests that the ransomware world is smaller than one may initially think given the number of unique strains currently operating,” Chainalysis said.
    This, in theory, should make cracking down and disrupting ransomware attacks a much easier task since a carefully planned blow could impact multiple groups and RaaS providers at the same time.
    According to Chainalysis, these weak spots are the money-laundering and over-the-counter services that RaaS operators and their affiliates often use to convert their stolen funds into legitimate currency.
    By taking out legitimate avenues for converting funds and reaching real-world profitability, Chainalysis believes RaaS operations would have a hard time seeing a reason to operate when they can’t profit from their work. More

  • in

    Discord servers targeted in cryptocurrency exchange scam wave

    Those of us riding the Bitcoin (BTC) wave have watched interest in the cryptocurrency rise especially as the price of a single coin has now reached over $37,000. 

    Bitcoin, Ethereum (ETH), and now Dogecoin (DOGE) — thanks to a few tweets by Elon Musk — have all come onto the radar of would-be traders, but as with every investment, scam artists are seeking means to cash in. 
    Cryptocurrency is certainly not immune to scams or other threats. Cryptocurrency exchanges hit with cyberattacks can end up losing trader funds; exit scams still occur, and regulators are constantly battling fraud. 
    We’re unlikely to see any end of crypto-related scams anytime soon, and in a new warning posted by Kaspersky, a new scheme is now targeting users of Discord. 
    Discord is a messaging and voice chat service that caters to an estimated 300 million users, having branched out from a gamer-heavy community to general use for clubs and for friends to stay in touch. 
    According to Kaspersky researcher Mikhail Sytnik, scam artists are now entering Discord servers and are sending private messages to users that appear to be from new, up-and-coming cryptocurrency exchanges. 
    As new projects and ones that want to “support traders in difficult times,” these ‘exchanges’ try to attract users with promises of free cryptocurrency. And, of course, the recipient is the lucky one chosen for free BTC or ETH. 

    Naturally, such a scam doesn’t attempt to attract users with a paltry offering; instead, thousands of dollars’ worth of cryptocurrency is being awarded. Lucky you.
    Each message contains instructions and a code for accepting the “gift,” Kasperksy notes, as well as a link to register on the fake exchange. 
    Kaspersky
    “The link opens a site that looks like a cryptocurrency exchange, with an adaptive layout, savvy design, and the exchange rate info, charts, order books, and trading history that cryptocurrency traders would expect to see on a trading platform,” the researchers say. “Visitors will also find technical support and several language options. Someone clearly went to a lot of trouble to make the site look legit.”
    As cryptocurrency wallets are now a top target for threat actors, the websites will also offer “two-factor authentication” and “phishing protection” options to try and appear legitimate. 

    Kaspersky
    Victims going through the registration process are then lured to provide a substantial personal profile, including contact details, photo ID, a selfie, and a signature.
    While these checks are now common on legitimate cryptocurrency trading posts, this information can be packaged up and sold to other cybercriminals, or could potentially be used in identity theft. 
    In the final step of this particular scheme, once the prize ‘code’ is submitted and accepted, the scammers require a small “top-up” in either BTC, ETH, or USD to process the gift. Should a victim hand over their cash, of course, it’s gone for good. 
    Fake exchanges are only one attack vector used by scam artists in the cryptocurrency sector — Initial Coin Offerings (ICOs), too, are constantly abused. 
    In January, a resident of San Francisco was jailed for six months after defrauding investors of cryptocurrency worth an estimated $20 million by pretending to be an ICO consultant. He has been ordered to pay $4.4 million in restitution. 
    Previous and related coverage
    Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Security firm Stormshield discloses data breach, theft of source code

    Image: Stormshield, ZDNet, Bophomet Zhang
    French cyber-security firm Stormshield, a major provider of security services and network security devices to the French government, said today that a threat actor gained access to one of its customer support portals and stole information on some of its clients.

    The company is also reporting that attackers managed to steal parts of the source code for the Stormshield Network Security (SNS) firewall, a product certified to be used in sensitive French government networks, as part of the intrusion.
    The company said it’s investigating the incident with French cyber-security agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), which is currently assessing the breach’s impact on government systems.
    “As of today, the in-depth analysis carried out with the support of the relevant authorities has not identified any evidence of illegitimate modification in the code, nor have any of the Stormshield products in operation been compromised,” Stormshield said in a message posted earlier today on its website.
    The Stormshield incident is currently being treated as a major security breach inside the French government. In its own press release, ANSSI officials said they’ve put Stormshield SNS and SNI products “under observation” for the duration of the investigation.
    But in addition to reviewing the SNS source code, Stormshield said it also took other steps to prevent other forms of attacks, in case the intruders had access to other parts of its infrastructure.
    The French company said it also replaced the digital certificates that they used prior to the incident to sign SNS software updates.

    “New updates have been made available to customers and partners so that their products can work with this new certificate,” the company said.
    Intruders also accessed some customer data
    Furthermore, the French security firm said it also reset passwords for its tech support portal, which the attackers breached, and the Stormshield Institute portal, used for customer training courses, which wasn’t breached, but the company decided to reset passwords as a preventive measure.
    Based on the results of its current investigation, Stormshield said the intruders appeared to have also accessed personal and technical data for some of its customers.
    “All the support tickets and technical exchanges in the accounts concerned have been reviewed and the results have been communicated to the customers,” Stormshield said.
    A Stormshield spokesperson told ZDNet that about 2% of accounts were affected in the security breach, which is “around 200 accounts out of more than 10,000.”
    Stormshield, which is a fully-owned subsidiary of Airbus CyberSecurity, could say if the attack was conducted by a nation-state group at this point in the investigation, the company told ZDNet.
    Article updated at 13:15 ET with comment from Stormshield. More