Information Technology

StarHub says personal data of its customers, including email addresses and mobile numbers, have been found on a dump site. The Singapore telco, however, insists none of its customer database or data systems has been breached. The data breach was discovered during a “proactive online surveillance” on July 6 by its cybersecurity team, StarHub said in a statement late-Friday unveiling the breach.On its website informing customers of the incident, the telco said it needed “time” to investigate the incident and assess the impact before confirming the breach publicly. The relevant authorities, however, were informed of the breach. According to its statement to local media, StarHub said an illegally uploaded file containing the leaked data was found on a third-party data dump website. It added that the information appeared to date back to 2007. 

The file contained mobile numbers, email addresses, and identity card numbers of 57,191 customers who had subscribed to StarHub’s services before 2007, it said. Apart from broadband and mobile, the telco also offers pay TV services in Singapore. All affected customers were from its consumer business, it said.When asked, a StarHub spokesperson would not say which of its customers were impacted or how many of these were existing customers. She also declined to reveal how often it conducted its online surveillance, citing “security considerations”, saying only that the telco conducted such activities “regularly”.She would not provide details when asked if the telco had determined the cause of the breach, saying only that there currently were no indications of compromise on its existing systems. 

According to StarHub, no credit card or bank account details were breached, and there currently were “no indication” the leaked data had been “maliciously misused”.It also noted that none of the company’s “information systems or customer database” was compromised. On its website, it said its investigation into the breach “verified the integrity of our network infrastructure”.The telco said an incident management team was assessing the breach and digital forensic and cybersecurity consultants were investigating the incident.The telco said it had begun “progressively notifying” affected customers via email and was offering six months of complimentary credit monitoring services through Credit Bureau Singapore, to track if any data might be used inappropriately. The service monitors subscribers’ credit report and notifies them of various predetermined activities, including when enquires are made on their credit file and if default records have been updated. StarHub said it expected to take two weeks to notify all affected customers. It also noted that it “attempted” to have the data file removed from the dump site, but did not say if it succeeded in doing so.  StarHub CEO Nikhil Eapen said in the statement: “Data security and customer privacy are serious matters for StarHub, and I apologise for the concern this incident may be causing our affected customers. We will be transparent and will keep our customers updated. “We are actively reviewing current protection measures and controls in order to implement and accelerate long-term security improvements,” Eapen said. StarHub just yesterday announced its second quarter earnings, saying it clocked a 7.3% year-on-year climb in revenue to SG$486.7 million ($360.26 million). RELATED COVERAGE More

BLACK HAT USA: When a company becomes the victim of a cyberattack, executives are faced with a tsunami of challenges: containing a breach, remediation, informing customers and stakeholders, identifying those responsible, and conducting a forensic analysis of the incident — to name but a few.

Black Hat USA

However, it is not just the real-world issues faced, in the now, that businesses have to tackle: the legal ramifications of a security incident have become more important than ever to consider. Speaking to attendees at Black Hat USA in Las Vegas, Nick Merker, partner at Indianapolis-based legal firm Ice Miller LLP said that before becoming a lawyer, he worked as an information security professional — and this experience allowed him to transition into the legal field through a cybersecurity lens. After being involved in the legal side of over 500 security incidents, including everything from the theft of a laptop to major ransomware incidents, Merker said that many of the pitfalls he experienced could have been “easily avoided with a simple conversation.”When attorneys are brought into a cybersecurity incident, they need to consider areas including data protection standards (such as HIPAA or GDPR), insurance coverage, liability, the preservation of evidence, and the potential for lawsuits and class-action claims. Robust IT systems are no longer enough to protect against the financial and reputational harm of cyberattacks, and it is up to legal teams to assist victims in making the right decisions in the aftermath. According to Merker, during a cybersecurity incident, “IT professionals and security folks, people who are not lawyers, [often] find themselves in a weird solution where they need to think like a lawyer or at least have one there.”

One of the main issues that enterprise players need to consider is attorney-client privilege. The purpose of this is to make sure a client who wants to seek advice from an attorney can say what they want and retain confidentiality — and the attorney cannot be compelled to testify against them. However, there are misconceptions surrounding this concept — not everything you say is privileged. It might be privileged communication but that doesn’t mean the subject matter is privileged, such as the disclosure of facts surrounding a data breach or cyberattack. “This does not mean that the underlying factors of a security incident are privileged,” the lawyer said. “This is an important thing to think about.”If you want to retain privilege, then you need to “paper up” and make sure there are defined lines between investigations, reports, and forensic activity. Specifically, if you want investigations to be privileged, they should be done separately and apart from ordinary business investigations.A “100 percent, separate team should be in place” and any reports on an incident should be “only used for litigation preparedness rather than as a business-outcome report,” Merker commented. In addition, it should be noted that corporations can waive privilege, but they cannot necessarily cherry-pick which areas to waive. It may be an “all or nothing” approach in some jurisdictions, and rather than “having your cake and eating it too,” attempts to do so can create further legal challenges. An example given is a document submitted in court with redactions, whereas the full document, without redactions, was provided to regulators. It may be that this attempt to partly utilize privilege could fail. In addition, privileged information should stay within protected walls. The lawyer says that if information is shared, such as through an email or by the watercooler, this could result in deposition and could be considered a waiver of privilege. Another area of legal concern relates to OFAC’s recent warning on potential sanctions when ransomware payments are approved — especially if someone ends up paying as part of a criminal chain that lands in an area with economic restrictions, such as Iran or Cuba. This can create individual or corporate liability and prompt heavy penalties — or even jail time.If you’re in a ransomware event and you need to pay the ransom in order to get back online, Merker says you should have a risk-based compliance program; a robust structure and risk assessments for whether or not you will pay a threat actor, and you should engage law enforcement immediately. This could be a significant factor determining the eventual outcome, the legal expert noted. “[Also] getting in touch with us quickly is what you want to do,” Merker added. Merker emphasised that companies more often “need to actually use an incident response plan in an incident situation,” and said that documentation should be a key focus. Timelines, logs, major decisions, and status summaries should be kept as regulators — or plaintiffs – will be asking questions, and you need to know “what you did, and why you did it.””You need to build up a story of what you actually did as a company,” Merker says. “This will also protect the chain of custody [and] you want to make sure you don’t accidentally waive privilege.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

FireEye, one of the world’s largest security firms, reported a year over year revenue growth of 8% in Q2 as the company adjusts following the sale of a major part of its business.Earnings for the quarter came to .09 cents on revenue of $248 million, an increase of $2 million compared to the first quarter of 2021.Wall Street was expecting earnings of $0.09 per share on revenue of $249.07 million. The report sent FireEye shares down 10.75% in late trading.FireEye sold its FireEye Products business to a consortium led by Symphony Technology Group for $1.2 billion on June 2, dramatically changing the company’s outlook. The all-cash deal is expected to close at the end of the fourth quarter.FireEye said that the deal separates the company’s network, email, endpoint and cloud security products from Mandiant’s software and services. FireEye Products and Mandiant Solutions will continue to be one entity until the transaction closes. Symphony Technology Group and FireEye will maintain reselling and collaboration agreements.CEO Kevin Mandia said in June that the deal was made because FireEye wants to scale its software platforms. But they projected that its products and related subscriptions and support revenue would fall 10% to 11% in 2021 compared to 2020.”The Mandiant Solutions business continued to deliver strong growth in revenue and annualized recurring revenue for the second quarter ended June 30, 2021,” Mandia said.

The earnings report was split into two parts, one that included revenue from discontinued operations and one that did not. The revenue for the continuing operations this quarter was $114 million, with a non-GAAP operating margin of negative 26 percent. There would be a non-GAAP net loss per basic share of $0.14.For the third quarter of fiscal 2021, FireEye expects non-GAAP net income between $0.05 and $0.07. It gave a revenue outlook between $118 million and $122 million. In December, the company disclosed that it was the target of a massive international cyber espionage campaign. 

Tech Earnings More

BLACK HAT USA: The adoption of double-extortion attacks against companies in ransomware campaigns is a rising trend in the space, researchers warn.

Ransomware variants are typically programs that aim to prevent users from accessing systems and any data stored on infected devices or networks. After locking victims out, files and drives will often be encrypted — and in some cases, backups, too — in order to extort a payment from the user. Today, well-known ransomware families include WannaCry, Cryptolocker, NotPetya, Gandcrab, and Locky. Ransomware now seems to make the headlines month-on-month. Recently, the cases of Colonial Pipeline and Kaseya highlighted just how disruptive a successful attack can be to a business, as well as its customers — and according to Cisco Talos, it’s likely to only become worse in the future. In 1989, the AIDS Trojan — arguably one of the earliest forms of ransomware — was spread through floppy disks. Now, automated tools are used to brute-forcing internet-facing systems and load ransomware; ransomware is deployed in supply-chain attacks, and cryptocurrencies allow criminals to more easily secure blackmail payments without a reliable paper trail.As a global issue and one that law enforcement struggles to grapple with, ransomware operators may be less likely to be apprehended than in more traditional forms of crime — and as big business, these cybercriminals are now going after large companies in the quest for the highest financial gain possible. At Black Hat USA, Edmund Brumaghin, research engineer at Cisco Secure said the so-called trend of “big game hunting” has further evolved the tactics employed by ransomware operators. 

Now big game hunting has gone “mainstream,” Brumaghin says that cyberattackers are not deploying ransomware immediately on a target system. Instead, such as in the example of typical SamSam attacks, threat actors now, more often, will obtain an initial access point through an endpoint and then move laterally across a network, pivoting to gain access to as many systems as possible. 
Cisco Talos
“Once they had maximized the percentage of the environment that was under their control, then they would deploy the ransomware simultaneously,” Brumaghin commented. “It’s one of those types of attacks where they know that organizations may be forced to pay out because of instead of a single endpoint being infected, now, 70 or 80 percent of server-side infrastructure is being impacted operationally at the same time.” After a victim has lost control of their systems, they are then faced with another problem: the emerging trend of double-extortion. While an attacker is lurking on a network, they may also rifle through files and exfiltrate sensitive, corporate data — including customer or client information and intellectual property — and they will then threaten their victims with its sale or a public leak. “Not only are you saying you only have X amount of time to pay the ransom demand and regain access to your server, if you don’t pay by a certain time, we’re going to start releasing all of this sensitive information on the internet to the general public,” Brumaghin noted.This tactic, which the researcher says “adds another level of extortion in ransomware attacks,” has become so popular in recent years that ransomware operators often create ‘leak’ sites, in both the dark and clear web, as portals for data dumps and in order to communicate with victims. According to the researcher, this is a “one-two-punch” method that is made worse now that ransomware groups will also employ Initial Access Brokers (IABs) to cut out some of the legwork required in launching a cyberattack.IABs can be found on dark web forums and contacted privately. These traders sell initial access to a compromised system — such as through a VPN vulnerability or stolen credentials — and so attackers can bypass the initial stages of infection if they are willing to pay for access to a target network, saving both time and effort. “It makes a lot of sense from a threat actor’s perspective,” Brumaghin said. “When you consider some of the ransom demands we’re seeing, in a lot of cases, it makes sense to them instead of trying to go through all the effort [..] they can simply rely on initial access brokers to give them access that has already been achieved.”Finally, Cisco’s security team has also noted an uptick in ransomware ‘cartels’: groups that sharing information and working together to identify the techniques and tactics that are most likely to result in revenue generation. Brumaghin commented: “We’re seeing a ton of new threat actors begin to adopt this business model and we continue to see new ones emerge, so it’s something organizations really need to be aware of.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

CISA director Jen Easterly announced a new cyberdefense collaborative that will see government bodies partner with Google, Microsoft, Verizon and more on protective cybersecurity measures.Easterly unveiled the initiative in an interview with the Wall Street Journal before speaking about it further at the Black Hat convention on Thursday. The newly-appointed head of CISA told the newspaper that the Joint Cyber Defense Collaborative (JCDC) will “uniquely bring people together in peacetime, so that we can plan for how we’re going to respond in wartime.”Easterly explained on Twitter that the JCDC will “share insight to shape our understanding of cyber defense challenges and opportunities, design whole-of-nation cyber defense plans to address risks, support joint exercises to improve cyber defense operations and implement coordinated defensive cyber operations.”On its website, the JCDC described its mission as leading “the development of the Nation’s cyber defense plans” as it seeks to “prevent and reduce the impacts of cyber intrusions.”They explain that the $740 billion National Defense Authorization Act (NDAA) of 2021 passed on January 1 gave them “new authority” to bring together both public and private institutions to coordinate responses to cyberattacks. Representatives from DHS, the Justice Department, United States Cyber Command, NSA, FBI as well as the Office of the Director of National Intelligence will be involved in the initiative.

Private sector companies involved in the effort include Google, Verizon, Microsoft, AT&T, Amazon Web Services, FireEye, Lumen, Crowdstrike and Palo Alto. Google Cloud CISO Phil Venables told ZDNet it is essential that the public and private sectors work together to defend against evolving threats and shore up modern IT capabilities that will protect federal, state and local governments. “We look forward to working with CISA under the Joint Cyber Defense Collaborative and offering our security resources to build a stronger and more resilient cyber defense posture,” Venables said. Shawn Henry, president of CrowdStrike Services and CSO, added that the JCDC will “create an inclusive, collaborative environment to develop proactive cyber defense strategies.””Continued collaboration between industry and government is critical to thwart today’s sophisticated attacks, and CISA’s initiative to bring the most relevant stakeholders together to defend national security is admirable. CrowdStrike is looking forward to partnering on this critical endeavor,” Henry said. An image of the partnership shared by CISA director Jen Easterly
Jen Easterly/Twitter
“The JCDC leads the development of the Nation’s cyber defense plans by working across the public and private sectors to unify deliberate and crisis action planning, while coordinating the integrated execution of these plans,” the collective explained.”The plans will promote national resilience by coordinating actions to identify, protect against, detect, and respond to malicious cyber activity targeting U.S. critical infrastructure or national interests.”JCDC will also coordinate with state level officials and other owners and operators of critical information systems. They added that “comprehensive, whole-of-nation planning” will be needed to address the wave of cybersecurity incidents facing organizations. In addition to defensive measures, the JCDC said it would also plan for “adaptive” cyber defense to deal with “adversary activity conducted in response to US offensive cyber operations.”The JCDC is one of many actions being taken by the Biden Administration to address ransomware attacks and many other headline-grabbing attacks in recent months. In addition to the new mandatory guidelines facing critical infrastructure owners, the JCDC will coordinate with them to “support the development of long-term plans to manage cyber risk and increase resilience of critical infrastructure.”During her speech at Black Hat, Easterly thanked US Senator Angus King, Congressman Mike Gallagher and the other leaders of Congress’ Cyberspace Solarium Commission for their help in setting up the JCDC. Easterly was confirmed by Congress on July 12 following a decorated career in the military. She spent more than 20 years working on the US Army’s intelligence and cyber operations and is credited with helping design and create United States Cyber Command.  More

Risk Based Security has released two new reports covering data breaches and vulnerabilities in the first half of 2021, finding that there was a decline in the overall number of reported breaches but an increase in the amount of vulnerabilities disclosed. The company’s data breach report found that there were 1,767 publicly reported breaches in the first six months of 2021, a 24% decline compared to the same period last year. The number of reported breaches grew in the US by 1.5% while 18.8 billion records were exposed year to date, a 32% decline compared to the 27.8 billion records leaked in the first half of 2020. Inga Goddijn, executive vice president at Risk Based Security said the methods used by attackers to monetize their efforts has diversified and at the same time, preventable errors are outpacing hackers when it comes to the amount of data exposed. “The amount of data compromised remains stubbornly high and with another sizable Q2 breach yet to be confirmed, it is possible that the number will climb over 19 billion in the near future,” Goddijn said. The numbers are slightly misleading though, the report notes, because the breach of Forex trading service FBS Markets accounts for about 85% of the records exposed through June 30th. The researchers added that 352 data breaches involved a ransomware attack.

The number of email addresses leaked held steady at 40% of all breaches while passwords were leaked in 33% of breaches. Healthcare organizations led the way with the most breaches in 2021 so far at 238. Finance and insurance companies suffered 194 breaches while manufacturing saw 169 and educational institutions dealt with 138.  The other report found from Risk Based Security’s VulnDB(R) team aggregated 12,723 vulnerabilities that were disclosed during the first half of 2021. They found that for the first half of 2021, the number of vulnerabilities disclosed grew by 2.8% compared to 2020.”Of the vulnerabilities disclosed during the first half of 2021, 32.1% do not have a CVE ID, and an additional 7%, while having a CVE ID assigned, are in RESERVED status which means that no actionable information about the vulnerability is yet available in CVE/NVD,” the report added. “In the first half of 2021, Risk Based Security’s VulnDB team aggregated an average of 80 new vulnerabilities per day. Risk Based Security also updated an average of 200 existing vulnerability entries per day as new solution information, references, and additional metadata became available.”Of the vulnerabilities disclosed so far in 2021, 1,425 are remotely exploitable and have a public exploit as well as a mitigating solution. Nearly 900 vulnerabilities that are remotely exploitable do not have a mitigating solution at all.One issue spotlighted by the report is the trend of organizations failing to report breaches.The COVID-19 pandemic shifted focus away from cybersecurity and there has now been a 24% decline in the number of publicly disclosed breaches when comparing data from the first half of 2020 to the first half of 2021. Despite the decline in disclosed breaches, the number of sensitive files exposed continues to grow. Between January 2021 and June 2021, more than 18 billion sensitive or confidential records were exposed, the second highest ever recorded by Risk Based Security. Of the data lost in breaches, 61% involved the exposure of names, 38% exposed social security numbers, 25% contained addresses and 22% had financial information. The reports also ranked the top ten products by vulnerability disclosures in Q2 of 2021. Debian Linux led the way with 628 followed by Fedora at 584, openSuSE Leap at 526 and 443 for Ubuntu. The top ten vendors by vulnerability disclosures in Q2 2021 included Microsoft at 627, SUSE at 590, Fedora at 584, IBM at 547 and both Oracle and Google above 500. Cisco, Canonical and Red Hat rounded out the list with more than 400 vulnerability disclosures in Q2 2021.  More

(Image: Shutterstock)
Microsoft’s Edge Vulnerability Research (VR) team is testing a new feature they’ve christened, “Super Duper Secure Mode” (SDSM). Super-Duper Secure Mode is all about making Edge more secure without negatively impacting performance.

see also

The best browsers for privacy

If you’re like most people, you’re probably using Google Chrome as your default browser. It’s hard to fault Google’s record on security and patching but privacy is another matter for the online ad giant.

Read More

SDSM works by removing Just-In-Time compilation from the V8 processing pipeline, which will reduce the attack surface that can be used to hack into Edge’s systems, as Bleeping Computer (where I first saw the SDSM information) explains. In addition to disabling the JIT, SDSM enables “new security mitigations” to make Edge a more secure browser. “JavaScript plays a key role in any browser story. JITs exist for a reason, and that is to optimize JavaScript performance,” the Microsoft browser researchers noted in their August 4 blog post about SDSM. However, so far, the researchers said they don’t see much of a change in performance with JIT disabled; most of their tests remained unchanged. By disabling the JIT, roughly half of the V8 bugs that must be fixed would be removed. This would mean less frequent security updates and fewer emergency patches for users, the researchers noted. SDSM is still considered to be in the experimental stage. Still, Edge preview testers — in the Canary, Dev and Beta rings — can enable it now with a flag by going to edge://flags/#edge-enable-super-duper-secure-mode and turning on the new feature. More

The new Google Nest Cam lineup. 
Google
Google on Thursday unveiled several new security cameras that are part of its Nest smart home lineup. There’s a new video doorbell, a floodlight camera to help you monitor your driveway or a dark side of your home, and two new Nest Cams — one that’s battery-powered and designed for use anywhere — and another that’s designed to monitor inside your home.  More