Information Technology

Moody’s Corporation announced on Monday that it would be investing in cybersecurity company BitSight and working with the firm to create a “comprehensive, integrated, industry-leading cybersecurity risk platform.”First reported by CNN, the partnership will see Moody’s invest $250 million in BitSight and the cybersecurity company will acquire Moody’s cyber risk ratings venture VisibleRisk, which they created with global venture group Team8. In a statement, Moody’s CEO Rob Fauber said organizations need a way to accurately measure and quantify cyber risk and exposure as they continue to invest in cyber defense and resilience. “Creating transparency and enabling trust is at the core of Moody’s mission — to help organizations assess complex, interconnected risks and make more informed decisions,” Fauber said. “BitSight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of financial loss.”Moody’s said its Investors Service review of cyber vulnerability and impact found 13 sectors that have high or medium-high risk, with “total rated debt exceeding $20 trillion.”Moody’s noted that BitSight has more than 2,300 customers around the world, including dozens of Fortune 500 companies, government agencies, insurers and asset managers.

BitSight said its acquisition of VisibleRisk adds a cyber risk assessment capability and advances its ability to analyze and calculate an organization’s financial exposure to cyber risk. BitSight’s valuation grew to $2.4 billion after the investment. BitSight CEO Steve Harvey added that the partnership with Moody’s and acquisition of VisibleRisk expands the company’s “reach to help customers manage cyber risk in an increasingly digital world.””Cybersecurity is one of the biggest threats to global commerce in the 21st century,” Harvey said.The $250 million deal will make Moody’s the largest minority shareholder in Bitsight, according to CNN. Fauber told CNN Business that the effort was started because of the opacity around cyber risk and the spate of serious cyberattacks that have affected a broader range of industries. More

We’ve known it was on the way for a few weeks, and now it’s finally here. Ahead of tomorrow’s Apple event — where we’re likely to see the new iPhone and release data for iOS 15 — iOS 14.8 is out. iOS 14.8According to Apple, this release contains two security updates and is recommended for all users. Both the security vulnerabilities patched “may have been actively exploited,” which makes this update all the more important to install. iOS 14.8 security fixesAs to whether this update contains any other surprises, we’ll have to wait and see. I’ll post a rundown of any other changes I see shortly. There’s also an iPadOS 14.8 for iPad users. To install the update, go to Settings > General > Software Update and download it from there. More

An unsecured database containing over 61 million records related to wearable technology and fitness services was left exposed online.

On Monday, WebsitePlanet, together with cybersecurity researcher Jeremiah Fowler, said the database belonged to GetHealth.  Based in New York, GetHealth describes itself as a “unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.” The firm’s platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit.  On June 30, 2021, the team discovered a database online that was not password protected.  The researchers said that over 61 million records were contained in the data repository, including vast swathes of user information — some of which could be considered sensitive — such as their names, dates of birth, weight, height, gender, and GPS logs, among other datasets.  While sampling a set of approximately 20,000 records to verify the data, the team found that the majority of data sources were from Fitbit and Apple’s HealthKit.
WebsitePlanet
“This information was in plain text while there was an ID that appeared to be encrypted,” the researchers said. “The geo location was structured as in “America/New_York,” “Europe/Dublin” and revealed that users were located all over the world.”
WebsitePlanet

“The files also show where data is stored and a blueprint of how the network operates from the backend and was configured,” the team added. References to GetHealth in the 16.71 GB database indicated the company was the potential owner, and once the data had been validated on the day of discovery, Fowler privately notified the company of his findings. GetHealth responded rapidly and the system was secured within a matter of hours. On the same day, the firm’s CTO reached out, informed him that the security issue was now resolved, and thanked the researcher.  “It is unclear how long these records were exposed or who else may have had access to the dataset,” WebsitePlanet said. “[…] We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor, are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access.” ZDNet has reached out to GetHealth with additional queries and we will update when we hear back.
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Zoom announced a slate of new security features users can take advantage of as the school year begins and millions continue to work and learn remotely. At Zoomtopia, the company announced that end-to-end encryption, which they rolled out last October in Zoom Meetings, will now be available for Zoom Phone users.  Zoom Phone users can upgrade to end-to-end encryption “during one-on-one phone calls that occur via the Zoom client.””During a call, users can click ‘More’ to find the option to enable end-to-end encryption. The upgrade takes under a second and helps users get security protection against server compromise,” the company explained in a statement. “Users can optionally exchange security codes over the voice channel to rule out the presence of a ‘meddler in the middle.’ E2EE for Zoom Phone will be available in the coming year.”Zoom also announced two other features designed to enhance the security of its platform: Bring Your Own Key (BYOK) and Verified Identity. 

BYOK was designed to help customers who have to deal with stringent compliance requirements or data residency needs. The tool allows users to manage their own encryption keys, creating a system where people will own and manage a key management system in AWS. The system will contain a customer master key that Zoom cannot access or see.

“Zoom will interact with the customer’s KMS to obtain data keys for encryption and decryption and will use these data keys to encrypt and decrypt customer assets before those assets are written to long-term storage. Zoom will not store plaintext data keys in long-term data storage,” Zoom explained in a statement. “BYOK is a separate offering from E2EE and is not designed for real-time use cases like streaming video. It’s best used for the secure storage of larger assets, such as recording files. BYOK will roll out as a customer beta in the coming months for recordings for Zoom Meetings, recordings for Zoom Video Webinars, Zoom Phone voicemails and recordings, and calendar for Zoom Rooms.”Verified Identity was built to help address the growing sophistication of social engineering and phishing attacks. The Verified Identity feature allows users to determine if a meeting guest is actually who they say they are. Zoom said the tool would help users who deal with classified information, specialized services and more. Multi-factor authentication is used to vet users entering a meeting. The tool asks you to identify your role in an organization, your credentials and the network you use. It also provides information about your device, authentication apps, codes, biometrics and email addresses. It also uses passwords, security questions and profile information to verify users. “To make attestation and authentication integral to the Zoom experience, we’re working with Okta to help verify users as they join Zoom Meetings. Once they’re in a meeting, a user will have a checkmark next to their name and can share their verified profile information — including name, email address, and company domain — with meeting participants,” Zoom explained. “Meeting hosts can use in-meeting security controls to remove a participant if for some reason they are not verified, or the displayed information seems incorrect. Displaying verified profile information via Okta will be available sometime next year and is the start of Zoom’s long-term identity attestation and verification initiative strategy.” More

A Detectify researcher has explained how an investigation into Apple CloudKit led to the accidental downtime of Shortcuts functionality for users. 

In March, Apple users began to report error messages when they attempted to open shared shortcuts. As noted by 9to5Mac, this bizarre issue was of particular concern to content creators who shared shortcuts with their followers via iCloud, who suddenly found their links were broken.  Reports began to surface on March 24. A day later, the iPad and iPhone maker told MacStories editor-in-chief Federico Viticci that the company was “working to restore previously shared shortcuts as quickly as possible.” According to Detectify Knowledge Advisor and bug bounty hunter Frans Rosén, the root cause of the issue was a misconfiguration flaw he accidentally stumbled upon — and triggered — in Apple CloudKit. On Monday, Rosén published details on the situation, in which he was examining the security of Apple services. Rosén’s exploration began in February, and in particular, he wanted to investigate the CloudKit framework, a platform for creating containers suitable for data storage in the Apple ecosystem.  Rosén says that he noticed that many of Apple’s own applications stored information in databases based on CloudKit. He was “curious” to know if any specific apps’ data could be modified by obtaining access to their public CloudKit containers.The researcher found that various APIs were being used to connect to CloudKit. According to Rosén, there are three scopes in the containers: Private (information is only accessed by you), Shared (shareable between users), and Public (accessible to anyone). Zones are also set with varying permission levels. 

Rosén began testing these permissions and found several vulnerabilities in CloudKit relating to iCrowd+, Apple News, and Shortcuts which permitted him to tamper with content, including stock entries.  The most prominent and public issue, found in Shortcuts during March, “caused all Shortcut sharing links to break, and it was quickly noticed amongst Apple users, media reporters, and especially Shortcuts fans,” Detectify said.According to Rosén, he had previously tested different ways to delete public zones and permission was always denied — however, in the Shortcuts CloudKit database, the researcher was surprisingly able to create zones and was also given an “OK” message in an attempt to delete a default zone. A misconfiguration on Apple’s part caused this.  “All of them were gone,” the researcher said. “I now realized that the deletion did somehow work, but that the _defaultZone never disappeared. When I tried sharing a new shortcut, it also did not work, at least not to begin with, most likely due to the record types also being deleted.”At this point, Rosén reached out to Apple’s security team, who asked him to stop testing immediately. Apple Security then set to work resolving the issue, restoring Shortcuts functionality and patching the problem in the process by refining its security controls and removing the options to both create new and delete existing public zones.It should be noted that the break did not allow the researcher access to any user or sensitive data.While accidental and causing not only panic for the researcher but also unintentional downtime for users, Rosén was awarded a $28,000 bug bounty for his discovery via the Apple Security Bounty program. “Approaching CloudKit for bugs turned out to be a lot of fun, a bit scary, and a really good example of what a real deep-dive into one technology can result in when hunting bugs,” Rosén commented. “The Apple Security team was incredibly helpful and professional throughout the process of reporting these issues.”The vulnerabilities in iCrowd+ and Apple News also earned him bounties of $12,000 and $24,000.”We would like to thank this researcher for working side by side with us to keep our users and their data safe,” an Apple spokesperson told ZDNet. “He immediately reported his actions so that we were able to quickly fix the issues documented and restore functionality after the researcher unintentionally disrupted the ability to use iCloud sharing links for Shortcuts.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has mooted new laws that will arm the government with the ability to issue directives to various platforms, including social media and websites, to remove or block access to content deemed part of hostile information campaigns. The proposed Foreign Interference (Countermeasures) Bill aims to detect and prevent foreign interference in local politics, conducted through such campaigns and the use of local proxies. The country’s Ministry of Home Affairs (MHA) on Monday unveiled details of the proposed bill in parliament, describing foreign interference as a serious threat to its political sovereignty and national security. “During a hostile information campaign, hostile foreign actors can seek to mislead Singaporeans on political issues, stir up dissent and disharmony by playing up controversial issues such as race and religion, or seek to undermine confidence and trust in public institutions,” the ministry said in a statement. 

It noted that online comments critical of Singapore saw “abnormal” spikes on social media when the country faced bilateral issues with another country in late-2018 and 2019. MHA further pointed to instances in recent years where social media and communications technologies were used as vehicles to carry “covert, coordinated, and sophisticated” online information campaigns. These sought to push the interests of one country against other nations by manipulating public opinion on domestic political issues in the targeted nation, the ministry said. It cited foreign actors that set up troll farms ahead of the 2020 US presidential elections to highlight controversial domestic issues and promote or discredit certain candidates. There also were efforts to discredit the US government’s handling of the COVID-19 pandemic and sow scepticism of Western-developed vaccines.Hostile foreign actors used a range of tactics and tools to interfere in domestic political discussions, including bots on social media or creating inauthentic accounts to mislead users about their identity. 

MHA said: “As an open, highly digitally-connected, and diverse society, Singapore is especially vulnerable to foreign interference. To counter this evolving threat, we are strengthening our detection and response capabilities, as well as Singaporeans’ ability to discern legitimate and artificial online discourse.”To complement these efforts, our laws need to evolve, just as other countries have introduced new laws to tackle foreign interference. This bill will strengthen our ability to counter foreign interference, and ensure that Singaporeans continue to make our own choices on how we should govern our country and live our lives.”The Foreign Interference Bill would give MHA the powers to issue directives to various entities, such as social media, providers or relevant electronic services–including messaging apps and search engines–and internet access services, and owners of websites, blogs, and social media pages, to help authorities investigate and counter hostile communications that originate overseas. Because hostile information campaigns used sophisticated and covert methods, the bill would empower MHA to issue “technical assistance directions” to these entities on which “suspicious content” was carried, which then would have to disclose information authorities needed to ascertain if the communications were carried out on behalf of a foreign principal. For instance, these foreign actors might use fake accounts and bot networks that were highly sophisticated. Relevant authorities then would require information that resided within the social media companies to ascertain if foreign principals were behind these hostile information campaigns.Technical assistance directions would be issued if MHA had suspicions of plans to conduct an online communication activity in Singapore or on behalf of a foreign actor, and the ministry deemed it in public interest to issue the directive. In addition, “account restriction directions” would be issued to social media and relevant electronic services operators to block content, from accounts used in hostile information campaigns, from being viewed in Singapore. MHA also would be able to issue take-down content orders, which would be needed for content that could cause “immediate and significant harm” in Singapore, the ministry said. These included inciting violence or causing hostility between groups.Should internet intermediaries or communicators fail to comply with such directives, MHA might order internet services providers to block access to the content through an “access blocking direction”.Service restriction directions would require the relevant platforms to take “practicable and technically feasible actions” to restrict the dissemination of content used in hostile information campaigns. These could include disabling or limiting functions that allowed content to become viral, according to MHA. An “app removal direction” also could be issued to require an app distribution service to stop apps, known to be used by foreign principals to conduct such campaigns, from being downloaded in Singapore. The bill would not apply to Singaporeans expressing their personal views on political issues, unless they were agents of a foreign entity, MHA said. Foreigners and foreign publications reporting or commenting on Singapore politics in an “open, transparent, and attributable way” also would not be subject to the new rules. Singapore in May 2019 passed its Protection from Online Falsehoods and Manipulation Act (POFMA), following a brief public debate, which kicked in October 2019. The bill was passed amidst strong criticism that it gave the government far-reaching powers over online communication and would be used to stifle free speech as well as quell political opponents.RELATED COVERAGE More

Image: WhatsApp
WhatsApp announced on Friday it will be offering its users end-to-end encrypted backups later this year. Users will have a choice for how the encryption key used is stored. The simplest is for users to keep a record of the random 64-digit key themselves, akin to how Signal handles backups, which they would need to re-enter to restore a backup. The alternative would be for the random key to be stored in WhatsApp’s infrastructure, dubbed as a hardware security module-based (HSM) Backup Key Vault that would be accessible via a user-created password.”The password is unknown to WhatsApp, the user’s mobile device cloud partners, or any third party. The key is stored in the HSM Backup Key Vault to allow the user to recover the key in the event the device is lost or stolen,” the company said in a white paper [PDF]. “The HSM Backup Key Vault is responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a certain number of unsuccessful attempts to access it. These security measures provide protection against brute force attempts to retrieve the key.” For redundancy purposes, WhatsApp said the key would be distributed through multiple data centres that operate on a consensus model.

WhatsApp said it would only know that a key exists in its vault, and would not know the key itself. The backups would store message text, as well as photos and videos received, WhatsApp said. “The backups themselves are generated on the client as data files which are encrypted using symmetric encryption with the locally generated key,” the Facebook-owned company said. “After a backup is encrypted, it is stored in the third party storage (for example iCloud or Google Drive). Because the backups are encrypted with a key not known to Google or Apple, the cloud provider is incapable of reading them.” Earlier this year, WhatsApp delayed enforcing a take-it-or-leave-it update to its privacy terms until May. WhatsApp originally presented users with a prompt to accept its new privacy terms by February 8, or risk not being able to use the app. In the wording used, WhatsApp said the policy would change how it partnered with Facebook to “offer integrations”, and that businesses could have used Facebook services to manage WhatsApp chats. By June, WhatsApp eventually dumped its update plans. Related Coverage More

Ransomware groups have shown no signs of slowing down their assault on hospitals, seemingly ramping up attacks on healthcare institutions as dozens of countries deal with a new wave of COVID-19 infections thanks to the potent Delta variant. Vice Society, one of the newer ransomware groups, debuted in June and made a name for themselves by attacking multiple hospitals and leaking patient info. Cybersecurity researchers at Cisco Talos said Vice Society is known to be “quick to exploit new security vulnerabilities to help ransomware attacks” and frequently exploits Windows PrintNightmare vulnerabilities during attacks. 

“As with other threat actors operating in the big-game hunting space, Vice Society operates a data leak site, which they use to publish data exfiltrated from victims who do not choose to pay their extortion demands,” Cisco Talos explained last month. Cybersecurity firm Dark Owl added that Vice Society is “assessed to be a possible spin-off of the Hello Kitty ransomware variant based on similarities in the techniques used for Linux system encryption.” They were implicated in a ransomware attack on the Swiss city of Rolle in August, according to Black Fog. The Vice Society leak site. 
Cisco Talos
Multiple hospitals — Eskenazi Health, Waikato DHB and Centre Hospitalier D’Arles — have been featured on the criminal group’s leak site and the group made waves this week by posting the data of Barlow Respiratory Hospital in California.The hospital was attacked on August 27 but managed to avoid the worst, noting in a statement that “no patients were at risk of harm” and “hospital operations continued without interruption.”Barlow Respiratory Hospital told ZDNet that law enforcement was immediately notified once the hospital noticed the ransomware impacting some of its IT systems. 

“Though we have taken extensive efforts to protect the privacy of our information, we learned that some data was removed from certain backup systems without authorization and has been published to a website where criminals post stolen data, also known as the ‘dark web.’ Our investigation into the incident and the data that was involved, is ongoing,” the hospital said in a statement. “We will continue to work with law enforcement to assist in their investigation and we are working diligently, with the assistance of a cybersecurity firm, to assess what information may have been involved in the incident. If necessary, we will notify the individuals whose information may have been involved, in accordance with applicable laws and regulations, in due course.” The attack on Barlow caused considerable outrage online considering the hospital’s importance during the COVID-19 pandemic. But dozens of hospitals continue to come forward to say they have been hit with ransomware attacks. Vice Society is far from the only ransomware group targeting hospitals and healthcare institutions. The FBI released an alert about the Hive ransomware two weeks ago after the group took down a hospital system in Ohio and West Virginia last month, noting that they typically corrupt backups as well.Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15.Ransomware groups are also increasingly targeting hospitals because of the sensitive information they carry, including social security numbers and other personal data. Multiple hospitals in recent months have had to send letters out to patients admitting that sensitive data was accessed during attacks. Simon Jelley, general manager at Veritas Technologies, called targeting healthcare organizations “particularly despicable.””These criminals are literally putting people’s lives in danger to turn a profit. The elderly, children and any others who require medical attention likely will not be able to get it as quickly and efficiently as they may need while the hackers hold hospital systems and data prisoner,” Jelley said. “Not to mention that healthcare facilities are already struggling to keep up as COVID-19 cases surge once again in many places across the country. Preventing ransomware attacks is a noble effort, but as illustrated by the Memorial Health System attack and so many others like it in recent months, preparation for dealing with the aftermath of a successful attack is more important than ever.” More