Information Technology

Ivanti has snapped up both MobileIron and Pulse Secure in an acquisition spree designed to improve the firm’s zero-trust, cloud, and managed IT security portfolio. 

Announced on Tuesday, the Utah-based security company said the combination of both MobileIron and Pulse Secure will bolster Ivanti’s position in “unified endpoint management, zero-trust security, and IT service management (ITSM).”
Under the terms of the deals, Ivanti has purchased outstanding MobileIron stock for roughly $872 million. This figure represents a 27% premium on the firm’s share price as of September 24, 2020, and each stockholder received $7.05 in cash per share held. 
See also: Imperva acquires database security startup jSonar
Since 2007, Mountain View, Calif.-based MobileIron has focused on becoming a zero-trust specialist in the mobile device security space. The firm’s solutions include device validation, user context and app authorization checks, network verification, and threat scanning. 
Pulse Secure was acquired from affiliates of Siris Capital Group but the financial terms of the purchase were not disclosed. 
Founded in 2014, San Jose, Calif.-based Pulse Secure is another zero-trust organization that has created a framework for verifying mobile devices attempting to connect to a corporate network, data center, or the cloud. 

Ivanti says that the combined resources of MobileIron and Pulse Secure will give enterprise clients more robust solutions for protection, self-healing, and self-securing devices connected to corporate networks. In particular, Ivanti is exploring how zero-trust security practices and contextual automation can improve remote infrastructure — adopted by more companies than ever due to the disruption caused by COVID-19. 
CNET: Facial recognition is getting better at making matches around face masks
“We are excited to welcome the MobileIron and Pulse Secure teams into the Ivanti family,” commented Ivanti CEO and chairman Jim Schaper. “Our intelligent experience platform will power business through hyper-automation and secure connections on every device, for any user, wherever and however they work. This enables our customers to collaborate and innovate more freely while reducing the risk of data breaches and enhancing employee experiences.”
In other acquisition news this week, Salesforce announced the purchase of Slack for $27.7 billion, the cloud provider’s largest acquisition purchase to date. 
TechRepublic: How to protect your personal data from being sold on the Dark Web
Tools including Slack are also being used by enterprise players forced into remote work setups due to the pandemic, and according to Salesforce, the deal will see Slack integrated into Salesforce Customer 360. The Slack remote collaboration platform is a competing force against Microsoft Teams. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

the-lightwriter, Getty Images/iStockphoto
The security team behind the “npm” repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects.

techrepublic cheat sheet

The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications.
Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis.
According to Sonatype’s Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries.
The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe (VT scan) that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.
To make sure the njRAT download wouldn’t have any issues, Sharma said the patch.exe loader also modified the local Windows firewall to add a rule to whitelist its command and control (C&C) server before pinging back its operator and initiating the RAT download.
All of this behavior was contained in the jdb.js package only, while the second package, db-json.js, loaded the first in an attempt to disguise its malicious behavior.
Npm security team: Change all passwords

Since infections with any type of RAT-like malware are considered severe incidents, in security alerts on Monday, the npm security team advised web developers to consider their systems as fully compromised, if they installed any of the two packages.
“Any computer that has this package installed or running should be considered fully compromised,” the npm team said.
“All secrets and keys stored on that computer should be rotated immediately from a different computer.
“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” they also added.
Constant onslaught
While the npm security team publishes security advisories on a weekly basis, most of them are usually for vulnerabilities in a package’s code that may be exploited in the future.
However, since late August, the npm security team has been seeing an increased amount of npm libraries that have been intentionally put together to steal data from infected systems, suggesting that several theat actors are now interested in compromising programmers’ workstations in an attempt to breach and steal credentials for sensitive projects, source code and intellectual property, or even prepare larger supply chain attacks.
Previous cases include: More

The US Federal Bureau of Investigation says that cyber-criminals are increasingly relying on email forwarding rules in order to disguise their presence inside hacked email accounts.

In a PIN (Private Industry Notification) alert sent last week and made public today, the FBI says the technique has been seen and abused in recent BEC (Business Email Compromise) attacks reported over the summer.
Also: Best VPN service in 2020: Safe and fast don’t come for free 
The hackers’ technique relies on a feature found in some email services called “auto-forwarding email rules.”
As its name implies, the feature allows the owner of an email address to set up “rules” that forward (redirect) an incoming email to another address if a certain criteria is met.
Threat actors absolutely love email auto-forwarding rules as they allow them to receive copies of all incoming emails without having to log into an account each day — and be at risk of triggering a security warning for a suspicious login.
Recent spike of abuse in BEC attacks
Email auto-forwarding rules have been abused since the dawn of email clients; by both nation-state hacking groups, but also regular cybercrime operators.

But in a PIN last week, the FBI says it received multiple reports over the summer that the technique is now often abused by gangs engaging in BEC scams — a form of cybercrime where hackers breach email accounts and then send emails from the hacked account in attempts to convince other employees or business partners into authorizing payments to wrong accounts, controlled by the intruders.
The FBI provided two cases as examples were BEC scammers abused email forwarding rules during their attacks:
In August 2020, cyber criminals created auto-forwarding email rules on the recently upgraded web client of a US-based medical equipment company. The webmail did not sync to the desktop application and went unnoticed by the victim company, which only observed auto-forwarding rules on the desktop client. RSS was also not enabled on the desktop application. After the BEC actors obtained access to the network, they impersonated a known international vendor. The actors created a domain with similar spelling to the victim and communicated with the vendor using a UK-based IP address to further increase the likelihood of payment. The actors obtained $175,000 from the victim.
During another incident in August 2020, the same actor created three forwarding rules within the web-based email used by a company in the manufacturing industry. The first rule auto-forwarded any emails with the search terms “bank,” “payment,” “invoice,” “wire,” or “check” to the cyber criminal’s email address. The other two rules were based off the sender’s domain and again forwarded to the same email address.
FBI recommends syncing email account settings
FBI officials say that the technique is still making victims in corporate environments because some companies don’t forcibly sync email settings for the web-based accounts with desktop clients.
This, in turn, limits “the rules’ visibility to [a company’s] cyber security administrators,” and the company’s security software, which may be configured and capable of detecting forwarding rules, but may remain blind to new rules until a sync occurs.
The FBI PIN — a copy of which is available here — contains a series of basic mitigations and solutions for system administrators to address this particular attack vector and prevent future abuse.
The FBI PIN comes after the FBI reported earlier this year that BEC scams were, by far, the most popular form of cybercrime in 2019, having accounted for half of the cybercrime losses reported last year. More

Special Feature

The new SMB stack
Picking the right tech vendors for your small or medium-sized business can be hard, especially with the cloud and everything-as-a-service providers giving you access to enterprise-level IT. ZDNet helps SMBs build a technology stack that promotes innovation and enables growth.
Read More

Google said it is launching Android Enterprise Essentials, a mobile device management service for small enterprises.
Based on the Android Enterprise Recommended program, Google’s Android Enterprise Essentials is a pared down version with default features and smaller budgets. Google is trying to address the reality that smaller organizations are often targeted by cybercriminals.
Features include:
Requiring a lock screen and encryption on devices to prevent unauthorized access to company data.
Enforcing mandatory malware protection with an always-on Google Play Protect.
The ability to wipe all company data from a device.
The core security features are applied automatically without the need to configure devices.
Google noted that Android Enterprise Essentials is aimed at small businesses but may also work for large companies that don’t need advanced capabilities.
Related: More

Image: Microsoft
Microsoft has removed 18 Edge browser extensions from the Edge Add-ons portal after the extensions were caught injecting ads into users’ web search results pages.
The extensions were removed between November 20 and November 25 after Microsoft received multiple complaints from users via Reddit [1, 2, 3].
A subsequent investigation found multiple abusive extensions that had been uploaded on Microsoft’s new fledgling Edge Add-ons portal.
According to a list shared by a Microsoft community manager, the 18 extensions can be grouped into two categories. The first one is for extensions that tried to pass as the official versions of various apps, even if those apps didn’t have official versions for Edge. This included:
NordVPN
Adguard VPN
TunnelBear VPN
Ublock Adblock Plus
Greasemonkey
Wayback Machine

Image: ZDNet
The second list contained extensions that were copied from authentic Chrome extensions, ported to Edge, and then had malicious code inserted. This included:
The Great Suspender
Floating Player – Picture-in-Picture Mode
Go Back With Backspace
friGate CDN – smooth access to websites
Full Page Screenshot
One Click URL Shortener
Guru Cleaner – cache and history cleaner
Grammar and Spelling Checker
Enable Right Click
FNAF
Night Shift Redux
Old Layout for Facebook
“If you were using any of these extensions installed directly from the Microsoft Edge Addon store, we suggest removing them from edge://extensions,” Microsoft said last month.
The findings highlight that even with a small userbase, Edge has already piqued the interest of cybercrime groups that have been flooding the Chrome and Firefox extension stores with malicious add-ons for the past decade.

As the browser continues to see its usage numbers grow, these types of incidents are expected to become more common, as malware authors usually go where the users are. More

There’s been a huge rise in one particular form of phishing attack as cyber criminals look to exploit the combination of the holiday season shopping rush and the move to shopping online.
More online shopping means people are receiving more emails about the shipment and deliveries of their orders and cyber criminals are actively looking to take advantage of this with phishing emails impersonating internationally-known shipping companies. And while these campaigns predominantly target consumers, they’re also dangerous to businesses too.
Researchers at cybersecurity company Check Point say there’s been an over 440 per cent increase in shipping related phishing emails over the last month. There’s been a spike in these attacks around the world, with Europe seeing the biggest surge, followed by North America and the Asia Pacific region.
The emails are designed to look like they come from shipping companies and retailers and feature messages claiming that there’s been a “delivery issue” or urging users to “track your shipment”.
Shoppers who’ve ordered items online are likely to be concerned about any potential problems around delivery so could easily open the emails and end up falling victim to cyber criminals.
In some cases, the phishing emails – which have all the appropriate branding of the delivery firm they’re mimicking – will claim that potential victims need to make an additional payment to secure their item, directing them to a page which is used to steal their personal information, including name, address and credit card details.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened

Malicious hackers can either use the stolen financial data and other personal information directly to commit fraud and raid bank accounts themselves, or alternatively they could sell the stolen details onto other cyber criminals on underground forums.
Alternatively, cyber attackers design phishing emails which ask users to click on a link to login to their account to solve an issue. This malicious link directs victims to a fake version of the delivery company’s web page which sends the email address and password to the attacker.
Once again, cyber criminals can either exploit this for themselves by raiding accounts or for harvesting personal details which they use themselves, or sell onto others to users on the dark web.
While it may first appear that this form of phishing attack is predominantly a risk to consumers, some people could have online shopping accounts tied to their corporate email addresses, and use the same passwords, something which is a very bad idea.
SEE: Identity theft protection policy (TechRepublic Premium)
That means malicious hackers could potentially use these attacks as a gateway to gaining entry to corporate networks – something that could me much more lucrative than stealing bank account information.
“These phishing campaigns are a risk to businesses as well as consumers, as people may share passwords or other credentials across both personal and work-related accounts and inadvertently give them away,” Ian Porteous, regional director for security engineering at Check Point told ZDNet.
“It only takes a few moments of inattention for a user to be tricked by these scams – especially as they play on peoples’ expectations of receiving goods they may have ordered – and given the large numbers of people still working from home, this is exactly what hackers are relying on. For them, it’s just a numbers game to try and steal as much sensitive data as they can,” he added.
In order to help protect against shipping email and other phishing attacks, users are urged to be suspicious of unexpected messages, particularly those which claim to require some sense of urgency as it’s a common psychological trick used by cyber criminals.
If users are concerned that a request could be legitimate, they shouldn’t follow links in the email, but they should visit the retailer or shipping company page directly.
READ MORE ON CYBER SECURITY More

Cyberattacks of all types are an increasingly large problem for all organisations, and as a result many are turning to cyber insurance as a means of protection against some of the effects of an incident. But what is cyber insurance, how does it work and what are some of the things that your business needs to be considering when deciding on a cyber insurance policy?What is cyber insurance?

More on privacy

Cyber insurance – also known as cyber-liability insurance – is an insurance policy that helps protect organisations from the fallout from cyberattacks and hacking threats. Having a cyber insurance policy can help minimise business disruption during a cyber incident and its aftermath, as well as potentially covering the financial cost of some elements of dealing with the attack and recovering from it.
“The formal definition of cyber insurance is essentially a contract between an insurer and a company to protect against losses that are related to computer- or network-based incidents,” explains Juergen Weiss, head of global financial services research and advisory at tech analyst Gartner.
SEE: Network security policy (TechRepublic Premium)
However, there are things that cyber insurance can’t protect against and an organisation will need to make sure it understands what is covered and perhaps more importantly what isn’t covered when they sign up to a coverage plan. While having some form of cyber insurance in place can help a business in the event of an attack, a business is also responsible for its own cybersecurity – the responsibility isn’t something that is just shifted to the insurer.
“Cyber insurance will not instantly solve all of your cybersecurity issues, and it will not prevent a cyber breach/attack,” says the National Cyber Security Centre in its guidance.
Who needs cyber insurance?

Any business with an online component or one that sends or stores electronic data might benefit from cyber insurance, as may any organisation that relies on technology to conduct its operations, which is pretty much every business.
Private personal data such as contact details of customers or staff, intellectual property, or sensitive financial data are all potentially very lucrative to cyber criminals who could could attempt to break into the network and steal it.
There’s also the potential for hackers to cripple a network with ransomware. A cyber insurance policy that covers ransomware could go a long way to helping organisations that fall victim to attacks like this find a way out of the predicament.
What sort of attacks result in cyber insurance claims?
Cyber insurance claims can be triggered by many sorts of incidents, but right now the most common are ransomware, fund-transfer fraud attacks, and business email compromise scams. 
How much does cyber insurance cost?
The cost of a cyber insurance policy will depend on a number of different factors including the size of the business and the annual revenue. Other factors can include the industry the business operates in, the type of data that the business typically deals with, as well as the overall security of the network.
An organisation that is deemed to have poor cybersecurity or has previous history of falling victim to hackers or a data breach would likely get charged more for a cyber insurance policy than one that has a good reputation for keeping itself secure.
Sectors such as health and finance are likely to find that cyber insurance policies cost more due to the sensitive nature of the fields they operate in.
What does cyber insurance cover?
Different policy providers might offer coverage of different things, but generally cyber insurance coverage will be likely to cover the immediate costs associated with falling victim to a cyberattack.
“Cyber insurance policies are designed to cover the costs of security failures, including data recovery, system forensics, as well as the costs of legal defence and making reparations to customers,” says Mark Bagley, VP at cybersecurity company AttackIQ.
Underwriting data recovery and system forensics, for example, would help cover some of the cost of investigating and re-mediating a cyberattack by employing forensic cybersecurity professionals to aid in finding out what happened – and fix the issue.
This is the sort of standard procedure that follows in the aftermath of a ransomware attack, one of the most damaging and disrupting kinds of incident an organisation can face right now.
It is also the case that some cyber insurance companies tcover the cost of actually giving in and paying a ransom – even though that’s something that law enforcement and the information security industry doesn’t recommend, as it just encourages cyber criminals to commit more attacks.
“The insurance company looks at what the potential incident response and forensic bill might be and that’s going to be bigger in many cases as organisations aren’t prepared, so they’d actually rather pay. It’s very frustrating,” says Theresa Payton, former White House CIO for the George W. Bush administration and founder and CEO of cybersecurity company Fortalice Solutions.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
Business email compromise (BEC) phishing scams are another form of cyberattack that can cost a business a large, sometimes six-figure sum of money. These attacks see criminals posing as CEO, supplier, or other trusted contact and duping people into transferring payments.
As the UK’s NCSC points out, some insurance policies will cover money lost in BEC fraud – but it’s often part of a specific policy that’s directly related to BEC. It therefore may not be covered by standard cybersecurity insurance – and your organisation could be left without any aid if that’s the case.
Organisations should, therefore, make sure they know exactly what they’re signing up for when choosing a cybersecurity insurance policy – and that it covers the potential damage of the most likely cyberattacks including ransomware, phishing and DDoS attacks.
The NCSC also notes that it’s worth checking if your organisation already has cyber insurance in place as part of existing policies, such as business interruption or property insurance. This might provide some level of coverage – or may specifically exclude cyber-related incidents.
What isn’t covered by cyber insurance?
There are some things that could be important to organisations that don’t tend to be covered by cyber insurance and it’s vital to understand what isn’t covered, so protecting these assets can be properly managed.
“Cyber insurance is still kind of limited compared to the true amount of risk. So don’t think that all forms of cyber risk are covered by insurance,” says Jon Bateman, fellow in the Cyber Policy Initiative of the Technology and International Affairs Program at the Carnegie Endowment for International Peace.
The financial damage caused by loss of intellectual property isn’t covered by cyber insurance and neither is the reputational costs that can be incurred following a cyberattack.
For example, cyber insurance could pay out for the costs associated with dealing with the direct aftermath of a cyberattack, but in the longer run the company might lose business due to public perception of having poor cybersecurity. A cyber insurance policy won’t cover the cost of losing customers due to the bad reputation it picks up as a result of a cyberattack.
Does cyber insurance cover major cybersecurity events?
The summer of 2017 saw two major cyberattacks spread around the world in quick succession with Wannacry ransomware attack taking down networks in May, only to be followed by the much more damaging NotPetya attack just weeks later. NotPetya knocked major organisations around the world offline, and is estimated to have cost billions in lost revenue and restoration costs as in many cases, organisations had to rebuild their networks from scratch.
It sounds like the sort of incident that would result in an insurance company paying out a cyber insurance claim because an organisation was disrupted by an incident that wasn’t their fault – especially as NotPetya was so prolific and indiscriminate in its targeting.
However, some insurance providers argued they didn’t have to pay out because NotPetya, a malware attack linked to the Russian military, classed as an “act of war” that nullified the claim. Other insurance providers did pay out claims for damage caused by NotPetya.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
It’s likely that this is going to continue to be an issue moving forward, especially as the cyber and physical realms become ever more indistinguishable from one another and insurers and their clients might not see eye to eye on what should and shouldn’t be covered.
“A major challenge for this market is how to deal with the most extreme forms of risk – major state-sponsored attacks, major catastrophic incidents across a large number of clients. Cyber-physical events that begin in cyberspace but still go out into the world with societal consequences. They’re very difficult to model and price. If a major incident was to happen it would overwhelm the capacity of cyber insurance markets,” says Bateman.
What do I need to apply for a cyber insurance policy?
Cyber insurance isn’t a silver bullet for solving your cybersecurity problems – far from it. In fact, in order to get a good deal for coverage, your business will likely need to prove that it’s responsible with cybersecurity in the first place. Insurers won’t want to take on a client that looks almost certain to be the victim of a data breach.
Insurers will want to know what cybersecurity your company has in place when applying for a policy and you’ll be expected to maintain accurate details about your cybersecurity as time moves forward – as, in many cases, policies are reassessed every 12 months, so even after acquiring cyber insurance, organisations still need to ensure they maintain proper cybersecurity procedures or risk losing the insurance down the line.
It’s also important to understand which are the systems and data that are essential to your organisation, and to understand whether the level of cover you have is adequate. That means deciding on a cyber insurance policy is a question that goes beyond IT and is a question for broader executive management, too.
“Unlike incidents such as a fire or theft, cyber incidents are often not restricted to a single location. Understanding how your organisation operates and the interdependencies between different parts is vital to determining the extent of an incident, which may have global implications,” says NCSC.
An organisation can’t just decide it doesn’t want to invest in cybersecurity any longer because it now has a cyber insurance policy.
What is the future of cyber insurance?
As the frequency of cyberattacks continues to increase and cyber criminals get more brazen with campaigns, the way cyber insurance operates is going to evolve. As previously noted, cyber insurance providers are unlikely to want to offer policies to organisations that pay little attention to their cybersecurity.
Paying out an insurance claim is a purely reactive activity and is costly for the insurance provider. That’s why some are starting to take a more proactive approach to cybersecurity, not only there to offer a payout if things go wrong, but actively aiding clients to take a better approach to cybersecurity.
“The whole insurance industry is moving away from being a lender of last resort and payouts, to more like a risk advisor and a partner for your business operations. Insurers are now putting black boxes in your car to track driving behaviour – they want to price more accurately and ideally change your behaviour,” says Weiss.
“And the same is happening in the cyber insurance space. The want to make sure that you as a corporate adapt to the risk. It’s a mix of audit, protection and prevented loss,” he adds. More

Image: Blake Cheek
A US judge has sentenced a 22-year-old hacker to eight years in prison for engaging in DDoS extortion schemes, making fake bomb threats against companies and schools across the world, and possession of child pornography materials.

Identified as Timothy Dalton Vaughn, a resident of Winston-Salem, North Carolina, the hacker was arrested in February 2019, pleaded guilty in November of the same year, and was sentenced to 95 months in prison on Monday, following delays to his sentencing due to the COVID-19 pandemic.
Vaughn, who went online as “Hacker_R_US” and “WantedbyFeds,” was a member of Apophis Squad, a hacker group who made a splash in the first eight months of 2018 and then fizzled out of existence after a law enforcement crackdown.
The group was your typical loudmouth hacker squad that bragged about launching DDoS attacks on their Twitter account, but according to court documents, they also extorted some of their targets in private, asking for money to stop their attacks.
But while they’re not the only hacker group to engage in DDoS extortion, Apophis Squad members went off the rails in the summer of 2018, when, for no apparent reason, they escalated their online nuisance to a whole new level by beginning to make erratic bomb threats against a wide range of targets that included schools, airports, government organizations, and many private companies.
Obviously, the switch to such brazen tactics didn’t go unanswered and a law enforcement crackdown followed soon after, especially after one of their fake bomb threats forced a plane to make an emergency landing.
UK police arrested the group’s leader in August 2018, and Vaughn’s arrest followed the next February.

The group’s leader, who went online by nicknames such as “optcz1,” “DigitalCrimes,” and “7R1D3N7,” was identified as George Duke-Cohan, 19, from Hertfordshire, UK.
Duke-Cohan was linked to DDoS extortions and fake bomb threats, and the hacker was quickly trialed in the fall of 2018 to receive a three-year prison sentence in December 2018.
In the follow-up case in the US, authorities similarly linked Vaughn to a $20,000 DDoS extortion against a Long Beach company and bomb threats made against 86 school districts, where he and other co-conspirators claimed to have planted ammonium nitrate and fuel oil bombs in school buildings; rocket-propelled grenade heads under school buses; and land mines on sports fields.
During a subsequent arrest and house search, the FBI said it also found child pornography materials on Vaughn’s devices and tacked on additional charges.
Vaughn was sentenced to 95 months for the child pornography possession charge and 60 months for the other charges. The terms will be served concurrently for a sentence of 95 months (7 years and 11 months) in prison. More