Information Technology

Cybersecurity readiness firm Immersive Labs has announced a $75 million Series C round, with investments from Citi Ventures, Menlo Ventures and follow-on from Goldman Sachs Asset Management. The company helps organizations analyze their cybersecurity “across technical and non-technical teams” while also providing tools to help improve cyber training. Immersive Labs is now marketing a new “Cyber Workforce Optimization” platform that will strive to provide a slate of services related to identifying cybersecurity gaps in an enterprise. “From crisis management with executives, to secure software development amongst engineers and ensuring compliance in legal teams, the platform will use data insights to understand where skills are required and inject role specific training,” the company said of their services in a statement. “It will also enable board-level metrics and benchmarking.” The company has already received $48 million in venture funding and the platform is being used at companies like Vodafone and HSBC as well as organizations like the NHS in the UK.”While technology has traditionally been used to plug this gap, it is incapable of making nuanced decisions, thinking laterally, instilling culture, showing leadership or taking into account numerous other crucial factors,” James Hadley, CEO of Immersive Labs, told ZDNet. “We believe human intelligence deserves to reclaim its place alongside Artificial Intelligence in cybersecurity to help organizations build resilience and reduce risk.”Hadley said cybersecurity knowledge and skills should no longer be the “preserve of a few technical people hidden away in a back office.” 

He added that the new funding will allow the company to add “new analytical capabilities and content to provide a more detailed picture of skills across the growing breadth and depth of cyber exposure facing organizations, helping them measure and manage risk better.” Cyber knowledge, skills and capabilities, he said, are growing in demand across entire organizations and not only do security teams need continual upskilling, but developers need to know how to write secure code and teams need to hire the right talent. “This creates a need for skills in both technical and non-technical teams in a way that keeps pace with the attackers. To do this, first you need to understand where these gaps lie. Our platform is capable of collecting this information using our own online learning environments, where people are dropped into cybersecurity scenarios and exercises that cover all topics and roles, from a CEO wargaming a ransomware attack with their whole team to a front-line analyst individually reverse engineering malware,” Hadley explained. “By collecting information on who has been upskilled against which threats specific to their role and when, and cross-referencing this with metadata, we can provide an organization-wide view of skills capabilities.” The platform offers training sessions and gamified environments to help fill any skills gaps that are discovered during the analysis process. “This is a far more cost-effective and efficient way of training, speeding up the skills cycle in a way that is more relevant to today’s remote workforce and the threat at hand. It will also allow CISOs to report on skills levels to the board to make them a bigger part of overall business cyber resilience,” Hadley added. “At the heart of our platform are labs and crisis scenarios: gamified story-driven exercises accessible on-demand through the browser and suitable for a range of different roles and technical abilities. These are informed by emerging threat intelligence and are compiled by our team of in-house experts who specialize in everything from cyber crises to application security to encryption. New labs are created continually, sometimes within hours of a new threat emerging.”The company will use the recent funding influx to expand its footprint internationally and bring its global headcount to 600 within the next two years. There are also plans for regional operation centers in Europe and the Asia Pacific region. The company currently has headquarters in Boston and Bristol, with about 200 total employees. Venky Ganesan, a partner at Menlo Ventures, said the cybersecurity labor shortage made it important for organizations to get every employee up to speed on the latest threats. “Immersive Labs helps large organizations confront this head-on by combining smart data analysis with targeted training. The cybersecurity threat will only increase, making Immersive Labs future proof as they seek to help large enterprises educate and arm themselves against ever-evolving threats,” Ganesan said. Other investors, like Arvind Purushotham from Citi Ventures, echoed those ideas, noting that Immersive Labs’ work “creates visibility into and optimizes one of the most valuable assets in cyber defense, the human defenders.”  More

A big part of making security work is educating users about the importance of it, and how quickly (and usually effortlessly) the bad guys can take advantage of our mistakes.This is exactly what iVerify does. Must read: I just found my lost AirTag… you’ll never guess where it went

First and foremost, iVerify is a security scanner that makes sure you are making use of the basic security features such as Face/Touch ID, Screen Lock, and are running the latest iOS version. It also runs a device scan that looks for security anomalies and gives you a heads up if something seems out of place.It can be very hard to spot if an iPhone has been hacked, so having a tool installed that keeps an eye out for the telltale signs of intrusion offers piece of mind.iVerify is also packed with guides that looks at the many different security features built into iOS, and how you can take advantage of them to secure your iPhone (or iPad).There’s also a whole raft of other cool stuff, from information on securing your Apple, Facebook, Google, Instagram, Linkedin, and Twitter accounts, information on activating DNS over HTTPS, a periodic reboot reminder (a simple way to protect yourself from remote exploits), and even a page that offers the latest security news.

$3 at Apple Store

iVerify is a brilliant app that gets regular updates to keep the information fresh and up-to-date.iVerify is not free — it costs $2.99 — but it’s truly worth the money if you take security seriously. Even if you know your around iOS well, you’re likely to learn a few new things from going through all the guides contained in this app.iVerify requires iOS 13.0 or later or iPadOS 13 or later, and is compatible with iPhone, iPad, and iPod touch. More

iOS Haptic Touch

Just
long-press
on
an
app
and
see
what
pops
up.
It
might
be
useful,
it
might
not
be.
It
depends
on
the
app!
You
can
even
do
the
same
with
built-in
iOS
features,
such
as
Control
Center.
… More

Avaddon ransomware group, one of the most prolific ransomware groups in 2021, has announced that they are shutting the operation down and giving thousands of victims a decryption tool for free. BleepingComputer’s Lawrence Abrams said he was sent an anonymous email with a password and link to a ZIP file named, “Decryption Keys Ransomware Avaddon.” The file had decryption keys for 2,934 victims of the Avaddon ransomware. The startling figure is another example of how many organizations never disclose attacks, as some reports have previously attributed just 88 attacks to Avaddon. Abrams worked with Emsisoft chief technology officer Fabian Wosar and Coveware’s Michael Gillespie to check the files and verify the decryption keys. Emsisoft created a free tool that Avaddon victims can use to decrypt files. Ransomware gangs — like those behind Crysis, AES-NI, Shade, FilesLocker, Ziggy — have at times released decryption keys and shut down for a variety of reasons. A free Avaddon decryption tool was released by a student in Spain in February but the gang quickly updated their code to make it foolproof again.  “This isn’t new and isn’t without precedence. Several ransomware threat actors have released the key database or master keys when they decide to shut down their operations,” Wosar told ZDNet. “Ultimately, the key database we obtained suggests that they had at least 2,934 victims. Given the average Avaddon ransom at about $600,000 and average payment rates for ransomware, you can probably come up with a decent estimate of how much Avaddon generated.”

Wosar added that the people behind Avaddon had probably made enough money doing ransomware that they had no reason to continue. According to Wosar, ransom negotiators have been noticing an urgency when dealing with Avaddon operators in recent weeks. Negotiators with the gang are caving “instantly to even the most meager counter offers during the past couple of days.””So this would suggest that this has been a planned shutdown and winding down of operations and didn’t surprise the people involved,” Wosar explained. Data from RecordedFuture has shown that Avaddon accounted for nearly 24% of all ransomware incidents since the attack on Colonial Pipeline in May. An eSentire report on ransomware said Avaddon was first seen in February 2019 and operated as a ransomware-as-a-service model, with the developers giving affiliates a negotiable 65% of all ransoms. “The Avaddon threat actors are also said to offer their victims 24/7 support and resources on purchasing Bitcoin, testing files for decryption, and other challenges that may hinder victims from paying the ransom,” the report said. “What’s interesting about this ransomware group is the design of its Dark Web blog site. They not only claim to provide full dumps of their victims’ documents, but they also feature a Countdown Clock, showing how much time each victim has left to pay. And to further twist their victims’ arms, they threaten to DDoS their website if they don’t agree to pay immediately.” 
DomainTools
The group has a lengthy list of prominent victims that include Henry Oil & Gas, European insurance giant AXA, computer hardware company EVGA, software company Vistex, insurance broker Letton Percival, the Indonesian government’s airport company PT Angkasa Pura I, Acer Finance and dozens of healthcare organizations like Bridgeway Senior Healthcare in New Jersey, Capital Medical Center in Olympia, Washington and others. The gang made a note of publishing the data stolen during ransomware attacks on its dark web site, DomainTools researcher Chad Anderson told ZDNet last month. Both the FBI and the Australian Cyber Security Centre released notices last month warning healthcare institutions about the threat of Avaddon ransomware. 
Australian Cyber Security Centre
The notice said “Avaddon threat actors demand ransom payment via Bitcoin (BTC), with an average demand of BTC 0.73 (approximately USD $40,000) with the lure of a decryption tool offered (‘Avaddon General Decryptor’) if payment is made.”The group was also implicated in multiple attacks on manufacturing companies across South America and Europe, according to the Australian Cyber Security Centre. Cybersecurity firm Flashpoint said that alongside REvil, LockBit, and Conti, Avaddon was one of the most prolific ransomware groups currently active.  Digital Shadows’ Photon Research Team told ZDNet in May that a forum representative for the Avaddon ransomware took to the Exploit forum to announce new rules for affiliates that included bans on targeting “the public, education, healthcare, and charity sectors.” The group also banned affiliates from attacking Russia or any other CIS countries. US President Joe Biden is expected to press Russian President Vladimir Putin on ransomware attacks at a summit in Geneva on June 16.   More

I’ve long believed that Apple should separate security updates from iOS and iPadOS releases and allow iPhone and iPad users to choose if they want to upgrade or stick with the current release and continue to receive security updates. Come the launch of iOS 15 and iPadOS 15, iPhone and iPad users will get this exact choice.Must read: Apple should fix this privacy issue, not try to keep it quiet
The page listing the features for both iOS 15 and iPadOS 15 outlines the change.

Here is the relevant bit from the iOS 15 page:iOS now offers a choice between two software update versions in the Settings app. You can update to the latest version of iOS 15 as soon as it’s released for the latest features and most complete set of security updates. Or continue on iOS 14 and still get important security updates until you’re ready to upgrade to the next major version.The iPadOS 15 page contains similar language. Of course, there are questions around this.

For example, will users get to choose what path to take or will the iOS 15 opt-out feature be buried deep in the settings where few will see it. How long will Apple continue to offer updates for iOS 14? Will it be for the duration of the iOS 15 lifecycle (after which, will iOS 14 users have to choose to move to iOS 15 or iOS 16), or for a limited period?Also, will users who have upgraded to iOS 15 be able to roll back to iOS 14? Currently, Apple prevent rolling back by not signing earlier releases of iOS, for obvious security reasons).All this said, it’s a good thing that Apple is giving users this choice because it will mean iPhone and iPad users will be able to get security updates without having to take on a whole new release. This will be of particular interest to those running older hardware that might experience performance issues running under the weight of iOS 16.Interestingly, it seems that Apple Watch users will have to upgrade to watchOS 8 to get updates, because there is no mention of staying on watchOS 7 anywhere in what Apple has published.What will you do? Upgrade immediately to iOS 15, or sit back and play a wait-and-see game on iOS 14? More

The Justice Department filed charges against a former cybersecurity official this week over a 2018 cyberattack on Gwinnett Medical Center in Georgia.Vikas Singla was indicted for allegedly stealing information from a digitizing device while also disrupting the hospital’s phone and printer services. While the indictment did not name the company the 45-year-old worked for, Bleeping Computer reported he was chief operating officer of a healthcare-focused network security firm called Securolytics. The Marietta-native allegedly had help with the attack. The indictment said Singla was “aided and abetted by unknown others” on September 27, 2018 when he hacked into the hospital’s Ascom phone system as well as a series of Lexmark printers and a Hologic R2 Digitizer.Singla appeared before US Magistrate Judge Linda Walker of the U.S. District Court for the Northern District of Georgia on Thursday and was charged with 17 counts of intentional damage to a protected computer. Each count carries a sentence of up to 10 years in prison. He is also facing a charge of obtaining information by computer from a protected computer.Less than a month after the intrusion, Gwinnett Medical Center began investigating their own systems after patient information appeared online, according to ZDNet. They traced the breach back to an IT intrusion on September 29 — just two days after Singla’s alleged actions — and said the attackers were threatening the 500-bed non-profit hospital. 

After three days, the attackers released full names, dates of birth, and gender of some patients while also boasting to news outlets about their access to the hospital’s systems. One of the attackers, angry that the hospital initially denied it was hacked, messaged security blog Salted Hash to tout their control of the hospital, writing, “does GMC have control of this system. The answer is no. The last time we checked, we own their Ascom system and their data.”The FBI and Justice Department did not say whether the two attacks were connected, but Acting US Attorney for Georgia Kurt Erskine said Singla “allegedly compromised Gwinnett Medical Center’s operations in part for his own personal gain.” Chris Hacker, Special Agent in Charge of the FBI’s Atlanta Field Office, added that the cyberattack could have had disastrous consequences and noted that patients’ personal information was compromised due to Singla’s alleged actions. More

US retailer Carter’s accidentally exposed the personally identifiable information (PII) of potentially hundreds of thousands of customers. 

On Friday, vpnMentor said the incident was not caused by an unsecured bucket or misconfiguration in a cloud storage system — as is often the case with when it comes to accidental leaks — but rather a “simple oversight” in the firm’s online order tracking infrastructure. The breach, discovered through a web mapping project underway at vpnMentor, was caused by a failure to implement authentication protocols for a popular URL shortener tool used on the retailer’s US e-commerce domain.  Carter’s is a major retailer for baby clothing and apparel in the United States which now operates worldwide. The company generated over $3 billion in revenue during 2020.  When a purchase was made through the Carter’s US website, the vendor would automatically send them a shortened URL to access a purchase confirmation page. However, a lack of security around the URLs themselves, together with no authentication to verify the customer, was problematic.  The confirmation pages, generated by Linc’s automation platform, contained a variety of customer PII — and to add another potential problem, the links never expired, allowing anyone to access these pages at will, at any time, alongside backend JSON records.  Information exposed on these pages included full names, physical addresses, email addresses, phone numbers, shipping tracker IDs, as well as purchase and transaction details.

“Due to the massive volume of sales Carter’s enjoys every year, this simple but drastic oversight exposed 100,000s of people to fraud, theft, and many other dangers,” the researchers say. Due to the nature of the flaw, the exact number of records exposed is unknown. However, the team estimates that over 410,000 records could have been open to abuse, with the potential impact including phishing, social engineering, and identity theft. Carter’s was informed of the security breach on March 22, five days after the initial discovery. Contact was made on March 30, and initially, the retailer asked vpnMentor to submit their findings through Bugcrowd. However, Carter’s eventually accepted the direct report and the shortened URLs were pulled between April 4 – 7. ZDNet has reached out to Carter’s but has not heard back at the time of publication.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The story that an iPhone owner’s personal data was leaked online while it was in the hands of an authorized Apple repair center should bring chills to any owner of Apple hardware out there.And Apple’s response to the matter is even more worrying.This incident happened in 2016 at a Pegatron facility in California.It’s quite shocking. Our devices contain a vast array of private and personal data, ranging from health and financial data, our communications, movements, and personal photos and videos.The idea that someone could be going through this when a device is in for repair and go as far as to share that information is appalling.Must read: I just found my lost AirTag… you’ll never guess where it went

Apple is a company that claims to put privacy at the core of everything it does. And yet, everything about how it handled this, to its inaction since, suggests Apple is more concerned about its image rather than user privacy.

The fact that Apple’s involvement in this was kept confidential, becoming public only as a result of a legal dispute between Pegatron and its insurer over the cost, doesn’t look good.Now, there are always going to be people who end up in positions of trust that shouldn’t be trusted. It’s a fact of life. But Apple is supposedly leading the way when it comes to user privacy, and that should include the privacy of users wanting their devices repaired.It’s unclear here whether the repair center asked for access to the iPhone in question, or whether the device was unprotected, but either way, the best way to prevent this from happening is to make it so that it can’t happen.Just as some cars, such as Tesla, have a valet mode that secures certain features of the vehicle from access, Apple needs to implement a similar feature for its devices. This “repair mode” feature would allow repairers access to the device but no access to any of the data on the device. This would be a great addition to newer devices, closing a privacy loophole.I would also expect authorized repair centers to offer an environment where snooping on data, and being able to copy or share it, would be hard to do. I’ve seen secured repair facilities where CCTV is in use, the test networks don’t have access to the internet and are managed, and employees are not allowed to bring their own tech into the repair areas. This is somewhat extreme, but as users are asked to trust Apple with more and more of their data, there needs to be a barrier between repair agents and the user’s personal data. An alternative is a secure backup followed by a wipe before a device is handed over for repair, with the data reloaded following the repair. I know that companies try to cut costs when to comes to repair, especially when it comes to warranty work, but for a company rolling in cash, that’s a poor excuse.Also, while taking control of the privacy and security of user data during repair sounds costly, privacy breaches are costly, both in monetary terms and bad publicity.Apple does offer users tips on getting their device ready for service, which shifts the responsibility to the user. Problem is, depending on what’s wrong with a device or how it is damaged, this is not always possible. For example, on an iPhone with a dead screen, suffering from water intrusion, or stuck in a boot loop, this isn’t going to be possible. Owners should be confident they can send in their hardware for service without having that data snooped on even if they can’t securely erase it. You might also think that this is a lot for Apple in response to a single case from 2016, but given that Apple wanted to keep this quiet, we must bear in mind that this could be the one case we know of out of many that we don’t.Suppressing its involvement in these things isn’t helping secure end users. It just allows Apple to pretend that it’s not an issue.And it clearly is a problem. More