Information Technology

The London council hit with a cyber-attack a month ago has said that some services may be unavailable or disrupted for months to come.
Hackney Council, which provides services to 280,000 people in east London, said in an update on the mid-October cyber attack that it was continuing to work hard to recover the affected systems and end the “significant disruption” that has prevented residents from accessing some services.
The council has described the incident as “an advanced, criminal cyberattack” affecting a large number of services, and said it is working alongside the National Cyber Security Centre (NCSC) and National Crime Agency (NCA) to investigate the ‘repugnant’ attack. However, the council has provided little detail on what happened.
“Some of our services may be unavailable or disrupted for months,” the council said, but added that some previously affected services have either been fully or partially restored, or the council’s teams have created new or temporary ways for residents to access them.
“In non-critical areas some of our services have been slower than usual, and we are not currently able to respond to all requests and enquiries as well as we normally would,” the council said.
“A range of Council services are affected by the disruption caused by the cyberattack that will affect our residents, including areas such as benefit payments and Council Tax payments”, the council said. However, it added that many payment options are still available for rent, service charges, major works and garages.
Services still affected include the land searches and planning applications needed for property sales, plus the ordering and reporting systems the council uses to process reports such as noise nuisance, antisocial behaviour and missed waste collections. Systems the council uses to access accounts, create new accounts and process payments for things like benefits, Council Tax, rents and service charges, and the online apps that residents use to manage these themselves, are also affected.

The council also said that messages sent to some of its public email addresses between 12 October and 26 October cannot now be accessed, and that enquiries that have not received a response and remain outstanding should be sent again. More

The first time Katie Paxton-Fear found a bug, she thought it was just luck. 
One of her friends had signed her up for an event in London, where hackers aim to find the vulnerabilities in a particular piece of software.
Without any experience of cybersecurity beyond being a programmer and developer, she found one bug, then another. “To be fair, I thought it was a fluke,” she says. But since then she’s found 30 more security bugs.
“It’s kind of like playing Sherlock Holmes,” says Paxton-Fear.

More on privacy

“You feel like a detective, going in rooting around and saying, ‘That looks interesting’, and having a stream of clues,” she says. “And, when you get all the pieces neatly together, and it works and there’s a bug there – it’s the most thrilling experience ever.”
But unlike a hacker looking for vulnerabilities to cause damage or steal data, Paxton-Fear is a bug bounty hunter. The bugs she finds are reported to the companies that write the code.
SEE: Security Awareness and Training policy (TechRepublic Premium)

That allows these organisations to fix the problems before malicious hackers find the same weaknesses. And the bug hunters get paid for each one they find.
As such she’s part of a growing industry that allows security researchers to hack into organisations’ software – with their permission – and then report the weaknesses they discover in return for a financial reward.
It’s a different way of approaching computer security, but one that is proving increasingly popular. One key feature is these security researchers will approach a target from the same perspective as a potential attacker. 
In that sense, bug bounty hunters are both the detective Holmes and also at least in part his nemesis, Moriarty, although Paxton-Fear says she sees herself more as Sherlock because by finding the bugs and reporting them, she’s helping improve security. 
“I’m doing the right thing,” she says.
Not that doing the right thing takes away the thrill: Paxton-Fear found herself shaking when she wrote up the report to detail her first bug.
Finding mistakes in other people’s work
A number of companies now run their own bug bounty programs, which allow hackers to report the flaws they find in their software. There are also companies that organise these programs for firms that don’t want to run them in-house.
Paxton-Fear says what she describes as the “nice pocket money” that she makes from bug bounties is a motivator – but not the only one: “For me it’s a hobby, but I really enjoy it.”
However, for some hackers, bug bounties can mean big paydays.
According to HackerOne, which organised the events that Paxton-Fear attended and organises bug bounties for big businesses and government agencies, nine hackers have now earned more than $1m each in rewards for spotting vulnerabilities.
Thirteen more have hit $500,000 in lifetime earnings, and 146 hackers have now earned $100,000 each.
Researchers doing their hacking on HackerOne’s platform earned nearly $40m in bounties in 2019. That’s nearly equal to the $82m in bounties the company has paid out on behalf of its customers to date – and that doesn’t take into account corporate bug bounty programs that are also paying out millions a year. 
Not bad money for finding mistakes in other people’s work.
SEE: Cybersecurity: This is how much top hackers are earning from bug bounties
Tommy DeVoss is one of those nine million-dollar-earning hackers. He is a reformed blackhat hacker turned bug bounty hunter. DeVoss will hunt for bugs a couple of days a week, looking for things that have changed in the systems he is targeting, and maybe checking old bugs to see if there’s been a change that means the flaw is back again.

“I know the mistakes that get made because I’ve made those mistakes,” says bug bounty hunter, Tommy DeVoss.
Image: TJ STEGE/HackerOne
“The biggest determining factor is the fact I’ve just been doing this for so long and I’ve seen so much stuff. I’ve been a system admin and I’ve been a developer. I know the mistakes that get made because I’ve made those mistakes,” he says.
DeVoss says each of the nine millionaire hackers go after a different type of bug.
“None of us have the same skillset and I think that’s why we’re all able to be successful at the same time, instead of fighting each other for the exact same bugs,” he says.
And while this elite group of high earners is very much the minority. For the vast majority the rewards are much lower; HackerOne said that of the hackers who have found at least one vulnerability, half have earned $1,000 or more. But for some hackers, bug bounties are becoming a handy source of additional financial support.
Considering that hacking is often seen as a shady and mysterious world, there’s actually a lot of data about what bug bounty hackers earn, and what motivates them. And it’s not always about the money.
Explanations for motivations
Nearly a quarter of the security researchers surveyed by HackerOne said their entire income comes from hacking. For more than half, at least 50% of their income comes from hacking. The company said the average bounty paid for a critical vulnerability stood at $3,650, while the average amount paid per vulnerability is $979. 
Hacking is a relatively young person’s activity: over 80% are aged under 35 and only half of one percent are over 50. And it’s very male, with only 10% identifying as female or non-binary.
Three-quarters have a degree or postgraduate qualification in computer programming or computer science. Only 14% have no training in the subject at all. However, when it comes to hacking, nearly half describe themselves as self-taught.

Nearly half of hackers describe themselves as self-taught.
Image: Getty Images/iStockphoto
Hackers also earned 38% more in bounty payments in 2019 compared with 2018, according to data from Bugcrowd, another bug bounty program company, which calculates that its hackers prevented $8.9bn in cybercrime by finding and allowing companies to fix bugs that would otherwise have let attackers into their systems.
Among the other data Bugcrowd collected is that hackers it seems are not early risers: 73% do their hacking in the evening and only 13% do any in the morning. Nearly half spend four hours or less working on bugs and only a super-hardcore 8% do more than 30 hours a week.
Hackers seem to find their way to bug bounties via a variety of routes.
Santiago Lopez, another of HackerOne’s elite group of million-dollar-researchers, became intrigued with hacking after he saw the movie Hackers, and earned his first bug bounty in 2016 – when he was aged 16. He went on to become the first hacker on the platform to make a million dollars in bounties.
“Most of all, having the curiosity to want to break stuff and play around will really decide if you’re cut out for hacker life,” he says.
A movie was also behind how Mico Fraxix got interested in computer security, but for a slightly different reason.
He was working as an IT engineer when Sony Pictures was hacked by North Korea, an attack that was probably in response to the studio’s film comedy, The Interview, which was set in the country.
SEE: Network security policy (TechRepublic Premium)
For Fraxix, the incident sparked an interest in the world of computer security. One option, he realised, was to become a penetration tester who would probe the defences of a company, often working for a security consultancy firm. But this path was expensive and demanded a degree in cybersecurity. The second option was to become a bug bounty hunter, and he went on to be one of Bugcrowd’s most successful.
“When I first read online that it’s possible to hack companies and not get prosecuted for it, I was thrilled and amazed,” he says and worked full time as a bug bounty hunter before moving on to a job in penetration testing – and paying for the training through bug hunting.
So what makes a good bug bounty hunter? Paxton-Fear reckons being a developer is a big advantage.
“I have an innate sense of how I would do it and I assume people think like me,” she says.
“One of the big skills in bug bounties that’s really difficult to teach is intuition. Everything I do I am following my intuition. It’s what looks interesting and what doesn’t look right.”
Big rewards for helping big tech
Bug bounty programs have actually been around for a long time. Browser pioneer Netscape launched the first one back in 1995. A few years later, Mozilla decided to launch a similar program to allow users to report bugs in its software – a program that still runs today.
Mozilla started out with enough money for 10 bounties but didn’t know whether the idea was going to take off or not.
“We are the oldest security bug bounty that’s still operating,” says Daniel Veditz, senior staff security engineer at Mozilla. “We were a small company and it seemed a good way to encourage people to look into security problems.”
But from modest beginnings, Mozilla’s bug bounty program has grown. Between 2017 and 2019, Mozilla paid out nearly a million dollars – $965,750 to be precise – to researchers who reported 348 bugs, with an average payout of $2,775 per bug. The Firefox browser maker will pay between $3,000 and $10,000 to researchers who spot potentially exploitable critical and high-rated client security vulnerabilities.
But for Veditz, having a bug bounty program is also a signal about a company’s attitude towards security. It shows that the company welcomes security researchers and sees value in their work. “We want to send a signal – we care, please come bother. If you’ve found something it helps everyone out.”
And, after Netscape and Mozilla’s early experiments, many other big tech companies followed. Now bug bounties are offered on anything from bugs in websites to cloud services, business software or mobile apps.
“We started it as an experiment and there was no one around to encourage us or compare ourselves to,” says Veditz. “Along the way lots of other people have decided that it’s a good idea and emulated us and surpassed us in the amount of money they can afford to pay folks.”
Among those big spenders on bug bounties are some of the biggest tech giants. Microsoft now offers rewards to security researchers who find vulnerabilities across a range of its products, from Microsoft Azure to Xbox, Microsoft Dynamics 365 to its new Edge browser.
SEE: Facebook launches bug bounty ‘loyalty program’
Earlier this year Microsoft said it had spent $13.7m in bounties in the past 12 months – over three times the $4.4m it spent in the year before. That’s a big number, but so are the potential awards to individuals. A researcher who discovers a critical remote code execution, information disclosure, or denial-of-service vulnerability in Microsoft’s Hyper-V could earn up to $250,000, while vulnerability reports on Microsoft Azure cloud services could earn $40,000.
Microsoft also noted that, with many unable to leave their homes due to COVID-19 lockdowns, bug bounty hunters have been busy. Across all 15 of its bounty programs, it saw a rise in bug reports during the first several months of the pandemic.
Google is another big spender on bug bounties, spending a total of $21m since it launched its vulnerability reward programs a decade ago, including $6.5m in 2019 – twice what it had previously paid out in a single year.
It also has some huge potential bounties on offer, with a top prize of $1m for a “full chain remote code execution exploit with persistence” which compromises the Titan M secure chip on Pixel devices. And if the exploit is on specific developer preview versions of Android, there’s a 50% bonus, taking the reward up to a cool $1.5m.
After these giants kicked off bug bounty programs, many other tech companies saw the benefits of the approach, making it a common option. But in recent years, the vogue for bug bounties has spread beyond tech – now many large businesses provide some kind of reward. That’s largely thanks to the US Department of Defense, which launched its Hack the Pentagon in 2016 as the federal government’s first bug bounty program, which since then has allowed it to identify – and fix – thousands of security vulnerabilities across public-facing systems.
Getting eyes on the prize
So why does code have flaws in the first place?
Part of the issue is the way that software is written. It’s usually written in a hurry, with a deadline looming and the boss pacing up and down. It’s written by multiple teams with slightly different experiences and different skills and priorities. Those teams will then have to somehow merge those projects together and make sure the end result is secure.

“It’s not that there are fewer bugs, it’s just the bugs are in different places,” says Katie Paxton-Fear.
Image: HackerOne
But then, most likely, the objectives of the project will shift and a new feature is needed, which means new code being added on top. And then, maybe a year or two later, long after the original development team has moved on, a feature will need changing or removing, which means a new team of developers trying to understand, then modify, the whole leaning tower of code. And this is the best-case scenario for development in many cases. No wonder hackers find gaps they can sneak through.
Paxton-Fear says part of the problem is that software development is so complex and involves multiple teams. 
“You have all kinds of different developers who touch a piece of software. You get development time that is often really squished for a feature. As a developer you just want to push features out on time. You’re passing code around and little things could be missed all the time – it’s just unfortunate some of these end up being huge security risks,” she says.
The benefits for the researchers are the chance to poke around in other peoples’ systems – something usually frowned on at best – while getting paid and maybe becoming a hacker celebrity.
SEE: FireEye’s bug bounty program goes public
For the companies that use bug bounty programs, the benefit comes from being able to get lots of seasoned hackers to look at their code in exactly the same way that attackers would – but without the risk – and to pay up only if they find anything.
GitLab launched a private vulnerability disclosure program in 2014 and has since moved on to a public program with HackerOne. It has now paid out a million dollars across 768 bug reporters.
“The main value we get from it is reducing risk – that’s the ultimate goal,” says James Ritchey, manager of app security at GitLab. “To do that we need to be aware of our security issues – and what better way to do that than having more eyes on the product. It helps our security team scale.”
It’s also an acknowledgment of the reality of computer security and the threat that every organisation faces when they have systems exposed to the internet.
“Ignorance isn’t bliss in security, so we really want to know about these security issues and all those eyes can give us a better perspective. The truth is the moment you’re on the internet, you are kind of an open target anyway. At that point it’s better to have a financial outing for those hackers because they’re going to hack anyway,” he says.
Turning a hobby into a career
Prash Somaiya, technical program manager at HackerOne, says the bug bounty programs it organises give companies access to skills they couldn’t easily access otherwise. Some companies have such sprawling infrastructure that it’s hard for them to even understand where their own systems are – let alone testing them for security.
He says the key difference between hiring consultants to do penetration testing and setting up a bug bounty program is that researchers aren’t being paid for their time, and you’re not paying an hourly rate for them to find bugs – it’s all about delivering results.
“Security is an evolving beast. Every organisation has vulnerabilities present in their software no matter what, and it’s about acknowledging that and working with the security community to uncover these flaws,” he says. “If those vulnerabilities are out there on the internet, they can be found and they can be exploited.”

Security is an ever-evolving beast.
Image: Getty Images/iStockphoto
However, a bug bounty program isn’t a replacement for more traditional forms of security testing, but an addition, cautions Mozilla’s Veditz: “There are companies that jump into a bug bounty program thinking that it’s a substitute for quality assurance or testing or a security program – and that’s a road to disaster.”
Some critics warn that bug programs are being used as a sticking plaster when actually organisations need to fundamentally rethink how they write code. They say companies should not be relying on outsiders – many are self-taught and doing it for fun, or working in lower-cost economies where the money from bounties goes further – to fix basic errors that in-house teams should have spotted themselves. 
They argue that companies should ensure their internal development processes encourage secure coding rather than adding security in as an afterthought, or hoping that external hackers can fix the problem later. 
SEE: Bug bounty platform ZDI awarded $25m to researchers over the past 15 years
Taking into account the additional developer time, the cost of the bug bounty program and the cost of any potential security breaches in the interim, making sure the code is secure before it is published is always going to be much cheaper than fixing it later. 
In addition, to set up a bug bounty program without having the developers in place who can actually trace and fix the bugs discovered – which is a very different skill to finding them in the first place – means that security is unlikely to be improved as a result. It might even make things worse by creating a false sense of security. 
Indeed, bug bounty programs are not the answer to every problem, and can create some of their own. Some researchers do not want to be involved in them because some programs limit their ability to share the vulnerabilities that they discover, something that would be a benefit to all users of that particular software, and also help them build their own reputation. 
There’s also a broader criticism of the model – that, like many other crowdsourcing models, the rewards are hard to earn. There are relatively few hackers who make big money. 
This economic pressure is perhaps part of the reason behind the geographic spread of researchers chasing bug bounties. For Bugcrowd, 80% of bounties are from US companies, but 34% are paid out to Indian researchers – compared with 26% that go to US researchers.
For HackerOne, nearly 90% of bounties come from the US, and while US hackers get the most, researchers from India, Russia and China also do well. That means bug bounties could in some respects evolve into a crowdsourced twist on the established model of offshore outsourcing. 
Paying by results keeps costs down, but may also encourage researchers to focus on easier-to-spot flaws they can dig out using automated tools, rather than the ones that might take significantly more time and effort, further creating a false sense of security.
And it’s also worth remembering that for most participants, bug hunting is a fun pastime. Some may wonder whether it is wise for the largest organisations in the world to rely on hobbyists for their online security. 
More positively, many hackers see proving their prowess as bug hunters as a route into the security industry, which is desperate for talent. If bug bounties can demonstrate they have a role in creating an on-ramp for new security professionals – as they did for Fraxix – then some of the criticism may go away.
Hacking is a team sport
One thing that might surprise outsiders is the amount of cooperation between hackers. Even though only one of them is ever going to be able to claim any particular bounty, the bug bounty hacker community openly shares most information, says DeVoss.
“One of the major parts of becoming good when it comes to hacking and bug bounties is there are always going to be people smarter than you, who know more than you or who know different things than you,” he says. “I do this for the money but I’m not greedy, so I don’t mind other people making money as well.”
Paxton-Fear agrees: “I know that if I have a problem I can ask 10 different people for help and rely on their expertise, and a lot of the time they won’t ask for money back – they just want to help. Everyone realises what it was like to get started.”

Image: Hacking is a community and bug bounties are now part of the mainstream.
Getty Images/iStockphoto
Bug bounties have come a long way since the day of Netscape’s first experiment. They’re now firmly part of the mainstream of the security industry. So as the number of wannabe hackers – and companies comfortable with employing them – increases, how does that change the bug bounty world?
“Hacking will always be a good opportunity for people who don’t want to follow a traditional corporate career path and want the flexibility that comes with the territory,” says Lopez, adding that as awareness of bug bounty hacking grows, it will certainly become less niche, which means more competition.
SEE: Microsoft goes big in security bug bounties: Its $13.7m is double Google’s 2019 payouts
Developers are also wising up, which means that some of the easiest bugs are now harder to find.
Companies have matured drastically over the past few years, says Fraxix: “It used to be that you could easily compromise famous brands and companies but, nowadays, it’s a lot more difficult. Companies are better prepared and their development teams are better trained.”
That’s especially true when organisations have been running bug bounties for a while.
GitLab’s Ritchey says when it first ran the program, there were very straightforward findings that were very easy to reproduce.
“Nowadays, it’s much more complex. The thing is we are constantly releasing new features and updating our own software, and because of that the security issues will never go away. Security issues will always be there – the important thing is to have a multilayered approach to it.”
The best defence against the worst problem
And for sure, the types of vulnerabilities being hunted have changed. When the first bug bounties were launched, the cloud and smartphones didn’t exist. Yet those areas are where some of the biggest bounties can now be scored. 
But that focus may prove to be a mismatch for the bug bounty business model, because most hackers concentrate on web security rather than these more complicated areas that often require additional skills and experience. In Bugcrowd’s latest research for example, 70% of hackers listed web application testing skills, but only 3% listed Android app skills.
Still, nobody is seriously expecting computer security to improve to the point at which bug bounties – or all the other techniques used to test code once it has been written – are going to be retired any time soon.
“I don’t think it’s going to get harder… I think it’s going to get different,” says Paxton-Fear. While a few years back bug hunting was all about particular flaws like cross-site scripting and JavaScript injections, now developers know about these problems.
But thanks to the Internet of Things, the number of devices with some kind of computing power being connected continues to expand, which means new and unusual targets for researchers, like an internet-connected fridge.
“There are bugs in your fridge for sure,” says Paxton-Fear. “There’s not this ending where developers suddenly know every bug – it just changes. It’s not that there are fewer bugs, it’s just the bugs are in different places.”
SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)
Mozilla’s Veditz agrees; hackers find bugs because they come to the code with that outsider approach, and that’s not going to change.
“As long as there are bugs in software, there are security bugs, and somebody’s got to find them. Bug bounties are a good way to encourage an outside look. Bug bounties as a concept are here to stay for the foreseeable future until we get perfect robots writing our code that don’t make mistakes.”
Even perfect robots are unlikely to make bug bounty hunters redundant according to DeVoss, who argues there is no such thing as a 100%-secured computer system – unless that computer is turned off.
Because of the way that software is written – over years in some cases by teams contributing different elements and adding new features over time – code that seems secure at one point may develop problems as it is altered at a later date.
“As long as we still have humans writing the code, there’re going to be errors. And even when we get to where AI starts writing code and finding bugs, they’re still going to be there. Just because something seems secure today doesn’t mean that in a month, six months, a year, or five years from now, something is found that completely breaks it all”, he says.
Lopez has a similar view; don’t expect AIs writing perfect code to put smart humans out of business, he says: “There’ll always be a need for hackers. Even with AI and security built in from the outset, there will always be people who want to break stuff and who will learn to manipulate AI to do so. Human hackers are the best defense against the most sophisticated attacks.” More

Microsoft has told Windows 10 owners and IT admins not to expect any Windows 10 preview updates in December to give them a break when staffing levels are low over the holiday season. 
December will be a break from the usual schedule of Windows 10 updates each month, which include optional previews that arrive after the mandatory Patch Tuesday security updates in the second week of every month.   

Windows 10

“Because of minimal operations during the holidays and the upcoming Western new year, there won’t be any preview releases for the month of December 2020,” Microsoft said in a support note. 
The company will resume monthly servicing with the January 2021 security releases, it said. 
Microsoft releases optional non-security Windows 10 updates to give customers time to test the updates against systems.  
It calls the first week of each month ‘A week’ and typically issues fixes for Office. The second week is ‘B week’ or Patch Tuesday. C and D weeks happen on the third and fourth weeks of the month. They’re when Microsoft releases optional cumulative updates or previews of non-security fixes for IT pros and admins. 
The last time Microsoft paused optional non-security updates that are released after Patch Tuesday was in March. Back then it was to give admins some breathing space while countries across the world went into lockdown in response to the COVID-19 pandemic. It resumed optional updates in July but maintained its Patch Tuesday schedule throughout the pandemic.  

Over the weekend Microsoft also released a statement confirming it is starting to force Windows 10 PCs on version 1903 up to 1909, as ZDNet reported last week. 
Microsoft will initiate the forced upgrades “soon” because Windows 10 version 1903 will no longer receive security updates after December 8, the next Patch Tuesday.  
“On December 8, 2020, all editions of Windows 10, version 1903 and Windows 10 Server, version 1903 will reach end of service. After that date, devices running these editions will no longer receive monthly security and quality updates,” Microsoft notes on the Windows 10 version 1903 update health dashboard. 
“To keep you protected and productive, we will soon begin updating devices running Windows 10, version 1903 to Windows 10, version 1909. This update will install like a monthly update, resulting in a far faster update experience.”
As noted by Borncity, Microsoft last week announced that it is suspending driver updates via Windows Update in December. In a message aimed at hardware vendors, it said driver updates through Windows Update will kick off again after January 4.  More

Ransomware-as-a-Service (RaaS) ads on hacking forums
Image: ZDNet
Ransomware-as-a-Service is a cyber-security term referring to criminal gangs that rent ransomware to other groups, either via a dedicated portal or via threads on hacking forums.
RaaS portals work by providing a ready-made ransomware code to other gangs. These gangs, often called RaaS clients or affiliates, rent the ransomware code, customize it using options provided by the RaaS, and then deploy in real-world attacks via a method of their choosing.
These methods vary between RaaS affiliate and can include email spear-phishing attacks, en-masse indisciriminate email spam campaigns, the use of compromised RDP credentials to gain access to corporate networks, or the use of vulnerabilities in networking devices to gain access to internal enterprise networks.
Payments from these incidents, regardless of how the affiliates managed to infect a victim, go to the RaaS gang, who keeps a small percentage and then forwards the rest to the affiliate.
RaaS offerings have been around since 2017, and they have been widely adopted as they allow non-technical criminal gangs to spread ransomware without needing to know how to code and deal with advanced cryptography concepts.
The RaaS tiers
According to a report published today by Intel 471, there are currently around 25 RaaS offerings being advertised on the underground hacking scene.
While there are ransomware gangs who operate without renting their “product” to other groups, the number of RaaS portals available today far exceeds what many security experts thought could be available and shows the plethora of options that criminal gangs have at their disposal if they ever choose to dip their toes in the ransomware game.

But not all RaaS offerings provide the same features. Intel 471 says it’s been tracking these services across three different tiers, depending on the RaaS’ sophistication, features, and proven history.
Tier 1 is for the most well-known ransomware operations today. To be classified as a Tier 1 RaaS, these operations had to be around for months, proven the viability of their code through a large number of attacks, and continued to operate despite public exposure.
This tier includes the likes of REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk.
With the exception of Ryuk, all Tier 1 operators also run dedicated “leak sites” where they name-and-shame victims as part of their well-oiled extortion cartel.
These gangs also use a wide variety of intrusion vectors, each depending on the type of affiliates they recruit. They can breach networks by exploiting bugs in networking devices (by recruiting networking experts), they can drop their ransomware payload on systems already infected by other malware (by working with other malware cartels), or they can gain access to company networks via RDP connections (by working with brute-force botnet operators or sellers or compromised RDP credentials).
Tier 2 is for RaaS portals that have gained a reputation on the hacking underground, provide access to advanced ransomware strains, but have yet to reach the same number of affiliates and attacks as Tier 1 operators.
This list includes the likes of Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt, and Thanos — and these are effectively the up-and-comers of the ransomware world.

Tier 3 is for newly launched RaaS portals or for RaaS offerings about which there’s limited to no information available. In some cases, it is unclear if any of these are still up and running or if their authors gave up after trying and failing to get their portals off the ground.
This list currently includes the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus, and (late arrival) ZagreuS.

All in all, while the underground cybercrime ecosystem is generating profits through criminal activity, it is still a market, and, just like all markets, it is governed by the same principles that guide any other market today.
A large number of service providers is the tell-tale sign of a booming economy that is far from being saturated. Saturating the RaaS market will only happen when criminals create more RaaS portals than affiliate groups are willing to sign up for or when companies bolster their security measures, making intrusion harder to carry out, drying up profits for crooks. More

For more than ten years, I’ve updated and published my guide to surviving Thanksgiving on ZDNet. Each year, I’ve given advice to help techies deal with immersion into a family dynamic they might not otherwise have encountered all year. Over the years, I’ve added new tips and discoveries that have helped make Thanksgiving successful for thousands of geeks the world over.
This year is different. This is 2020. Surviving Thanksgiving is no longer a hyperbolic term, used to exaggerate the challenges of getting along with your cranky uncle and scoring all the turkey you want. This year, surviving Thanksgiving literally means surviving Thanksgiving. 

This year, Thanksgiving could kill.
Look, I know many of you think that government-mandated lockdowns are impinging on our freedoms. You’re right. Any time a government mandates anything, even if it’s for our own good, it’s impinging on our freedom.
But exercising your freedom doesn’t mean making bad choices just because you can. As an adult, you can choose to live off of pizza for breakfast, lunch, and dinner. You have that freedom. But you’ll eventually also wind up living with chronic stomach pain. As an adult, you can choose to play with matches all you want despite your mother’s best advice, but you could also burn down your house.
Freedom means you can make the choice to take responsibility and to act responsibly.
Now, here’s what we’re facing. We are living in a global pandemic where the infection rate is growing rapidly. The virus spreads effectively indoors, where people are in close contact. Roughly 1,100 people are dying each day in the United States. Each day. By comparison, roughly 3,000 people died on 9-11. We’re experiencing the 9-11 death toll every three days with COVID.

When I was a kid, my parents and I often went over the river (the Hudson) and through the woods (we passed trees) to grandmother’s house. Meeting us were my uncle, aunt, and two cousins. Thanksgivings brought us together — three separate households breathing each other’s air and fighting over the dark meat turkey for a very special day.
Even if your holiday celebration consists of just a small family, the odds are your family, like mine, lives in multiple households. If someone is infected with COVID (even if they’re not showing any symptoms), that person could then infect the other households in your family.
A few years back, I lost my parents. I think about them all the time, especially around the holidays.
So let’s say you decide to go through with your family Thanksgiving because that’s what you’ve always done. It’s what Mom really wants, and besides, you don’t want to miss out on the turkey. Now, imagine next year at Thanksgiving. 
How will you feel if Mom isn’t there? 
How will you feel looking at that empty place setting? How will you feel if you know that all you had to do to make sure Mom was still alive was skip one ceremonial meal — and you didn’t?
The CDC says that family gatherings like Thanksgiving will become spreader events. So how will you feel if you bring home the infection and it spreads, maybe to other members of your church, synagogue, or school? How will you feel about all those families who will have unfilled seats at their tables resulting from your spreader event, all because you couldn’t bring yourself to say “no” and skip the family visit for one year?
The city of Chicago agrees. It’s asked residents to stay home and skip Thanksgiving to avoid spreading COVID. Many will bristle at the suggestion that the government is telling people how to live. But this year, that’s literally true. The government is telling people how to keep living.
Epidemiologists the world over are echoing the recommendations of the CDC and Chicago. Staying home is a message Dr. Fauci is trying to spread as well. The fact is, the chances of the disease spreading drop considerably if you’re not laughing and yelling and talking above everyone else around a crowded feast table. And while some folks find the COVID’s seriousness hard to believe, there are many threads like this one, with a whole lot of folks reporting hardships due to the pandemic.

I want you to compare worst case scenarios for a minute. Let’s say you skip that in-person Thanksgiving event this year. What’s the worst case scenario? You might disappoint Aunt Sally and miss out on Uncle Steve’s awesome turkey.
Now, what’s the worst case scenario if you go through with that in-person Thanksgiving? You might have to bury Aunt Sally and hope Uncle Steve wakes up from the ventilator without brain damage.
It doesn’t compare.
Suck up a little disappointment and keep your family and friends safe. Exercise your freedom to protect your family. Show you’re strong enough to suffer a little disappointment for the good of the people you love, and for the good of strangers you might never meet.
So, what’s David’s Guide to Surviving Thanksgiving this year? It’s simple: please survive it. COVID kills. That’s not a political statement, just a horrible fact evidenced by the unyielding pace of daily deaths. Make smart decisions. Stay home. Protect your family. Do it, not because your government says it’s the right thing to do, but because it’s actually the right thing to do — especially if you love your family.
P.S. Still want to hang out with your family even if you’re not in the same house? Here’s the tech angle to this story: connect via Zoom or watch Netflix or Prime Video together using party mode. You’ll have to bring your own snacks, but you’ll still be able to spend the day virtually with your loved ones. And you won’t even have to share the turkey.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

A newly uncovered trojan malware campaign is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.
Jupyter infostealer has been detailed by cybersecurity company Morphisec who discovered it on the network of an unnamed higher education establishment in the US. It’s thought the trojan has been active since May this year.
The attack primarily targets Chromium, Firefox, and Chrome browser data, but also has additional capabilities for opening up a backdoor on compromised systems, allowing attackers to execute PowerShell scripts and commands, as well as the ability to download and execute additional malware.
The Jupyter installer is disguised in a zipped file, often using Microsoft Word icons and file names that look like they need to be urgently opened, pertaining to important documents, travel details or a pay rise.
If the installer is run, it will install legitimate tools in an effort to hide the real purpose of the installation – downloading and running a malicious installer into temporary folders in the background.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
Once fully installed on the system Jupyter steals information including usernames, passwords, autocompletes, browsing history and cookies and sends them to a command and control server. Analysis of the malware showed that whoever created it constantly changes the code to collect more information while also making it harder for victims to detect.

It isn’t clear what the exact motive for stealing the information is, but cyber criminals could use it to gain additional access to networks for further attacks – and potentially stealing highly sensitive data – or they could sell login credentials and backdoor access to systems to other criminals who access.
The researchers believe that Jupyter originates from Russia. Not only did analysis of the malware reveal that it linked to command and control servers in Russia, but reverse image searching of the planet Jupiter in infostealer’s admin panel revealed the original to come from a Russian-language forum. This image is also spelled Jupyter, likely a Russian to English misspelling of the planet’s name.
While many of the command servers are now inactive, the admin panel is still live, suggesting that Jupyter campaigns may not be finished yet.
READ MORE ON CYBERSECURITY More

VMware on Monday announced several updates to its virtual networking products and services, including new capabilities across its service mesh, Tanzu, SD-WAN, and Project Monterey products.

In Tanzu, VMware is announcing a new attribute-based policy model for its service mesh technology.
Tanzu is VMware’s portfolio for building and managing modern applications, and its service mesh technology lives within that product line. Service mesh technology is meant to function as a control point between containers, ensuring that individual containers are allowed to communicate with each other. It also allows developers to understand data such as performance and response time. 
“As we go forward, this idea of a service mesh is a very, very strong capability because it addresses the fundamental needs of security, but gives developers the ability to create these very modular, very rapidly changing applications,” said Tom Gillis, the SVP and GM of networking and security for VMware, during a press briefing. 
“And what we’re announcing today is an exciting new policy model that comes along with this,” Gillis continued. “An attribute based policy model is going to greatly simplify the job of building and administrating policy and drive towards what we’ve talked about, which is that higher level automation capability.”
In addition to the new service mesh policy model, VMware is also announcing that it has integrated the NSX advanced load balancer into Tanzu. According to Gillis, this provides developers with a Kubernetes operator, or series of APIs, that allow them to spin up whatever services they need without ever touching or configuring the load balancer. The integration is expected to be available in the first quarter of VMware’s fiscal 2022.
“It’s about automation,” Gillis said. “It’s about simplicity. It’s about breaking the grip and the reliance on those dedicated hardware appliances.” 

Meanwhile, VMware is also announcing Project Antrea, described as an open-source, cluster level networking solution that allows developers to deploy their own network solution to enable container connections.
“We built it in a way that it connects to NSX for a two tiered approach,” Gillis said. “So Antrea provides all of the security services, all the connectivity that a developer is going to care about. But when they need to make a connection across clusters or from a cluster to VM, NSX provides that bridge.”
In the data center, VMware’s monitoring and management software has gained new network modeling capabilities that act as a “pre-flight check” to verify that an application is reachable across both physical and virtual infrastructure. Together with Antrea, these new capabilities represent a significant step towards self-healing networks, VMware said.
“When there’s a problem [with network performance], we can identify those problems and we’re increasingly able, with virtualized infrastructure, to fix those problems,” Gillis said. “So we’re moving into a world where the infrastructure has a certain amount of self healing capability and fixes itself.”

Shifting to Project Monterey, which VMware introduced in September, VMware announced that NSX firewall code running on a Monterey SmartNIC will be able to run a stateful layer 7 firewall with advanced threat protection capabilities in the NIC. Specifically, VMware said it’s adding to the NIC a layer 2 and layer 3 switching and routing capability that will run at wire speed, a layer 4 firewall capability that will run at wire speed, and a layer 7 firewall along with IDs, IPS, and the hypervisor. 
“Being able to put a layer 7 firewall in the NIC and have it operate with effectively an air gap, we think this is a transformative capability for advanced security,” Gillis said. “So, we’re putting the security where it matters, which is right next to your sensitive applications and your data.”
Finally, VMware also announced SD-WAN Work from Home Subscriptions, which VMware said will offer individual business users optimized network connectivity and better security at an affordable low price. Bandwidth ranges from 350Mbps to 1Gbps depending upon the level of subscription.
RELATED: More

Microsoft is working on a fix for a bug in last week’s patch for a bypass vulnerability in the Kerberos Key Distribution Center (KDC) security feature. 

Windows 10

Microsoft has flagged the issue affecting systems that have installed the patch for the bug CVE-2020-17049, one of the 112 vulnerabilities addressed in the November 2020 Patch Tuesday update. 
Kerberos is a client-server authentication protocol used on multiple operating systems, including Windows. Microsoft attempted to fix a bypass in the Kerberos KDC, a feature that handles tickets for encrypting messages between a server and client.     
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
“After installing KB4586786 on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues,” Microsoft notes in its known issues page for all supported version of Windows 10.  
“This is caused by an issue in how CVE-2020-17049 was addressed in these updates.”
The buggy patch only affects Windows Servers, Windows 10 devices and applications in enterprise environments, according to Microsoft. 

Microsoft addressed the vulnerability by changing how the KDC validates service tickets used with the Kerberos Constrained Delegation (KCD) because there was a bypass issue in the way KDC determines if a service token can be used for KCD delegation.
Microsoft explains there are three registry setting values – 0, 1, and 2 – for PerformTicketSignature to control it, but admins might encounter different issues with each setting. 
“Setting the value to 0 might cause authentication issues when using S4U scenarios, such as scheduled tasks, clustering, and services for example line-of-business applications,” Microsoft states. 
Additionally, the default value setting of 1 might cause non-Windows clients authenticating to Windows Domains using Kerberos to experience authentication issues. 
SEE: Microsoft goes big in security bug bounties: Its $13.7m is double Google’s 2019 payouts
With that setting, admins could also see failures in “cross-realm referrals” on Windows and non-Windows devices for Kerberos referral tickets passing through DCs that haven’t got the Patch Tuesday update. 
“We are working on a resolution and will provide an update as soon as more information is available,” Microsoft notes. 
Microsoft has also revised its guidance for deploying the update. It has recommended admins locate the KDC registry subkey, and if it exists on the system, ensure that it is set to 1. Then admins need to complete the deployment to all DCs – and Read-Only DCs.
“Note that following our original guidance of using the 0 setting could cause known issues with the S4USelf feature of Kerberos. We are working to address this known issue,” it says.  More