Information Technology

Google has released today version 88.0.4324.150 of the Chrome browser for Windows, Mac, and Linux. Today’s release contains only one bugfix for a zero-day vulnerability that was exploited in the wild.

The zero-day, which was assigned the identifier of CVE-2021-21148, was described as a “heap overflow” memory corruption bug in the V8 JavaScript engine.
Google said the bug was exploited in attacks in the wild before a security researcher named Mattias Buelens reported the issue to its engineers on January 24.
Two days after Buelens’ report, Google’s security team published a report about attacks carried out by North Korean hackers against the cyber-security community.
Some of these attacks consisted of luring security researchers to a blog where the attackers exploited browser zero-days to run malware on researchers’ systems.
In a report on January 28, Microsoft said that attackers most likely used a Chrome zero-day for their attacks. In a report published today, South Korean security firm said they discovered an Internet Explorer zero-day used for these attacks as well.
Google did not say today if the CVE-2021-21148 zero-day was used in these attacks, although many security researchers believe it was so due to the proximity of the two events.

But despite how this zero-day was exploited, regular users are advised to use Chrome’s built-in update feature to upgrade their browser to the latest version as soon as possible. This can be found via the Chrome menu, Help option, and About Google Chrome section.
Before today’s patches, Google went through a spell last year where it patched five actively-exploited Chrome zero-days in a span of three weeks. More

Growing awareness of the importance of digital security is driving customer growth for NortonLifeLock, the company said Thursday. In its third quarter financial results, the company reported a direct customer count of 21 million, up by 876,000 year-over-year and by 334,000 quarter-over-quarter. 
“Our vision to protect and empower everyone to live their digital lives safely has never been more relevant than it is today,” CEO Vincent Pilette said in a statement. “Consumers are seeing the value of Cyber Safety with nearly 60% of our customers using Norton 360. We are accelerating our investments in new products and customer experiences that are driving our growth momentum, and with the Avira acquisition, we are just getting started.”
NortonLifeLock’s non-GAAP diluted EPS was 38 cents on revenue of $639 million, up 3 percent.
Analysts were expecting earnings of 37 cents per share on revenue of $630.53 million.
Consumer reported billings in the quarter came to $700 million, up 10 percent. Average revenue per user was $9.10 per month, up 1 percent. 
NortonLifeLock also said its board of directors has declared a quarterly cash dividend of $0.125 per common share to be paid on March 17.
For the fourth quarter, the company is expecting revenue in the range of $655 million to $665 million.

Tech Earnings More

Fortinet delivered strong fourth quarter growth and updated its FortiOS operating system with more than 300 new features including Zero Trust Network Access capabilities and tools to better secure networks and proliferating end points.
The updates come as the company said it will focus on growth for the quarters ahead. Fortinet delivered fourth quarter revenue of $748 million, up 21% from a year ago, with net income of 89 cents a share.
As for the fourth quarter, Fortinet’s non-GAAP earnings of $1/06 a share were above expectations. The company said demand for its security platform was strong. Wall Street was expecting Fortinet to report fourth quarter earnings of 97 cents a share on revenue of $722.4 million.
For 2020, Fortinet delivered earnings of $2.91 a share on revenue of $2.59 billion, up 20% from a year ago. Non-GAAP earnings for 2020 were $3.35 a share.
Ken Xie, CEO of Fortinet, said “given the many growth opportunities that lie ahead for us, we plan to shift our focus more to growth for at least the next several quarters.”
For the first quarter, Fortinet is projecting revenue between $670 million to $685 million with non-GAAP earnings of 70 cents a share to 75 cents a share. For 2021, Fortinet is projecting revenue of $3.02 billion to $3.07 billion with non-GAAP earnings of $3.60 a share to $3.75 a share.  
FortiOS 7.0 lands as Fortinet is aiming to create a platform that will cover data centers, clouds, edge computing end points and networks. Fortinet Security Fabric is powered by FortiOS.

Among the key updates:
Zero Trust Network Access for Remote Access and Application Control for FortiGate firewall customers. The Zero Trust set-up is designed to replace traditional VPNs and cut the attack surface by verifying the user and device for every application session.
Cloud-based SASE security as a service.
Self-healing SD-WAN tools with remediation tools that can adapt for passive application monitoring as well as various cloud deployments.
Security for 5G and LTE.
Adaptive cloud security to manage hybrid and multi-cloud deployments.
Network security tools to improve efficiency and integrate with FortiManager/FortiAnalyzer.
The FortiGuard security service with advanced tools for remote work.
Fortinet said FortiOS 7.0 will be available at the end of the first quarter.
Also:  More

Our communications need to be both private and secure. The recent uproar about WhatsApp’s changes to its privacy policy is a good reminder of that fact. While the changes had implications for consumers who use WhatsApp, the concerns also made their way into the enterprise. CISOs have seen discussions quickly morph from personal concerns about privacy to enterprise security concerns about using WhatsApp for business communications. 

ZDNet Recommends

The common question: Is WhatsApp “safe” to use for business communications?  Consider a follow-up question: What do we do, and what can we do, about it? 
Understand the risks to the business to help make the case for change
Your business is exposed to privacy, security, reputation, and compliance risks when employees use consumer tools for business purposes. If someone is targeting your organization specifically, it is useful to know that employees regularly communicate business info freely on such a channel. It likely wouldn’t be too difficult to discover if employees talk about it as a tool they use for work or encourage customers or others to use it to communicate with them. 
Consumer apps aren’t built for business use. End-to-end encryption protects data in transit and the app provider doesn’t see the content yet data is still vulnerable on devices. Malware on phones enables hackers to read messages. Someone else picking up an employee’s phone may be able to see messages if there’s no PIN protecting access on the phone or for the app. There is also no guarantee that an individual is using two-step verification or not automatically backing up their messages to the cloud. They could also save messages to share with others outside of the company, or screenshot freely, and the recipient can do whatever they wish with them. Additionally, vertical-specific compliance guidelines, such as those of the FFIEC (Federal Financial Institutions Examination Council), may also require that you retain business-related text messages. 
Explore how purpose-built tools for secure, private, and compliant business communications can help
Enterprises typically already have corporate-sanctioned tools for employee communication and collaboration like Google Chat or Microsoft Teams. Sometimes, they need more. They may find that they have use cases where another purpose-built tool is better suited for their needs. For general-purpose business communications and collaboration, tools such as Wickr and Wire include messaging/chat functionality, as well as other features like videoconferencing and file sharing. Tools like KoolSpan and CellTrust enable secure voice calling and more. 
Also: Microsoft Teams: The complete starter guide for business decision makers
Options exist with added controls and features that make these offerings suitable for business communications. These can include capabilities such as administrative controls to revoke user access and adjust settings, encryption, the option to host on-premises or in private cloud, metadata protection, or integrations with enterprise applications. Some also offer the option of a portable phone number or use of the app independent of a mobile phone number so that employees are not using their personal phone number for business. 

What to do next — because change doesn’t happen overnight 
Provide clear guidance for acceptable communication tools for employees. Consider this a part of security awareness training so that employees understand the risks. This human element is the most important factor. Changing behavior is the most challenging component, especially when consumer apps are a convenient option. 
Identify your audience, their use case, and employee requirements. Will a new tool serve a segment of the employee population, or is it meant to be used companywide? Determine if employees will need voice, text messaging, document sharing, video, or some other combination of functionality. Will you require integration with key systems (e.g., mobile device management or an archiving solution)? Clarity about these requirements in your initial planning will help narrow your shortlist of vendors and find the best fit for both your workforce and security needs. 
Build a network of business user champions. These individuals evangelize the use of the tool internally with their peers and provide feedback from initial testing and tool selection through deployment. Target your messaging to best appeal to organizational culture and your workforce. In healthcare, this may be about promoting patient outcomes. For a manufacturer, protecting its competitive edge and reputation may resonate with employees. If no one wants to or can easily use the tool, you’re back at square one. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Principal Analyst Heidi Shey, and it originally appeared here.  More

Image: Google
Google said today it paid more than $6.7 million in bug bounty rewards to 662 security researchers across 62 countries for submitting vulnerability reports in Google products last year.

The figure, up from the $6.5 million the company paid in 2019, is the company’s largest prize pool paid to security researchers to date.
Most of last year’s bug prizes were awarded in the Chrome VRP (Vulnerabilities Rewards Program), which handed out more than $2.1 million to security researchers for 300 bugs identified in Google’s flagship browser.
Another major VRP was the company’s Android programs. Google said it gave out $1.74 million for bugs discovered in the Android OS code and another $270,000 in the Google Play VRP for bugs found in the Play Store’s most popular and widely used Android apps.
Among the Android VRP’s main highlights last year, Google listed the following:
We awarded our first-ever Android 11 developer preview bonus, which paid out over $50,000 across 11 reports. This allowed us to patch the issues proactively before the official release of Android 11.
Guang Gong (@oldfresher) and his team at 360 Alpha Lab, Qihoo 360 Technology Co. Ltd., now hold a record eight exploits (30% of the all-time total) on the leaderboard. Most recently, Alpha Lab submitted an impressive 1-click remote root exploit targeting recent Android devices. They maintain the top Android payout ($161,337, plus another $40,000 from Chrome VRP) for their 2019 exploit.
Another researcher submitted an additional two exploits and is vying for the top all-time spot with an impressive $400,000 in all-time exploit payouts.
We launched a number of pilot rewards programs to guide security researchers toward additional areas of interest, including Android Auto OS, writing fuzzers for Android code, and a reward program for Android chipsets.
On top of these, Google also said more than $400,000 were sent to security researchers through its research grant program that the company uses to fund innovative areas of security research.
More than 180 security researchers received grants last year, which submitted back 200 bug reports that yielded 100 confirmed vulnerabilities in Google products and the open-source ecosystem.

This year will mark the Google VRP’s 10th anniversary. More

Netgear BR200 small-business router

The
Netgear
BR200
Insight
Managed
Business
Router
has
been
designed
to
be
easy
to
set
up,
and
features
a
built-in
firewall,
VLAN
management,
and
remote
cloud
monitoring,
and
can
be
… More

Two-factor authentication security keys are now all the rage. If you care about security, then you have at least a couple of them on keyrings with you at any one time. The Solo V2, currently on offer via Kickstarter, brings some new features to these must-have items.
On the face of it, they look like any other two-factor authentication security keys on the market but look closer, and there are some interesting features.
Must read: Best security keys in 2021

First up, they are robust. The guts are encapsulated in epoxy resin, making them durable and hard to tamper with.
Then there’s the reversible connector, a really useful feature for the USB-A version since you can orient it in a way that the LED shows up.
There are also three capacitive touch pads, again making the Solo V2 easy to use no matter what the orientation.
There’s also enhanced NFC; you get more reliable wireless authentication.

Then there’s updatable firmware that can keep the keys fully updated. As far as I’m aware, this feature is unique to SoloKeys. The firmware updates will be signed by SoloKeys, and the user will need to carry this out (so no stealthy background updates). According to Solokeys, this is more secure and much cheaper than physically replacing all your security keys.
The Solo V2 keys also come with colorful silicon sleeves.
The Solo V2 support FIDO2 and will work seamlessly with services such as Google, Facebook, Twitter, Dropbox, Github, and many more.
Keys are expected to start shipping June 2021, and prices start at $34 for a single key. More

Image: Geralt on Pixabay
A report published today by blockchain investigations firm Chainalysis confirms that cybercrime groups engaging in ransomware attacks don’t operate in their own bubbles but often switch ransomware suppliers (RaaS services) in a search for better profits.

The report analyzed how Bitcoin funds were transferred from victims to criminal groups, and how the money was divided among different parties involved in the ransomware attack, and how it was eventually laundered.
But to understand these dynamics, a short intro into the current ransomware scene is needed. Today, the ransomware landscape is very similar to how modern businesses operate.
There are coders who create and rent the actual ransomware strain via services called RaaS — or Ransomware-as-a-Service — similar to how most modern software is provided today.
Some RaaS operators rent their ransomware to anyone who signs up, while others prefer to work with small groups of verified clients, which are usually called “affiliates.”
The affiliates are the ones to usually spread the ransomware via email or orchestrate intrusions into corporate or government networks, which they later infect and encrypt with the ransomware they rented from the RaaS operator.
In some cases, the affiliates are also multiple groups themselves. Some are specialized in breaching a company’s network perimeter, and are called initial access vendors, while some groups are specialized in expanding this initial access inside hacked networks to maximize the ransomware’s damage.

All in all, the ransomware landscape has evolved from previous years and is now a collection of multiple criminal groups, each providing its own highly-specialized service to one another, often across different RaaS providers.
BTC transactions show collaborations between criminal groups
The Chainalysis report released today confirms these informal theories with undisputable and unforgeable cryptographic proof left behind by the Bitcoin transactions that have taken place among some of these groups.
For example, based on the graph below, Chainalysis said it found evidence to suggest that an affiliate for the now-defunct Maze RaaS was also involved with SunCrypt RaaS.
“We see that the Maze affiliate also sent funds — roughly 9.55 Bitcoin worth over $90,000 — via an intermediary wallet to an address labeled ‘Suspected SunCryptadmin,’ which we’ve identified as part of a wallet that has consolidated funds related to a few different SunCrypt attacks,” Chainalysis said.
“This suggests that the Maze affiliate is also an affiliate for SunCrypt, or possibly involved with SunCrypt in another way.”

Image: Chainalysis
Similar findings also show a connection between the Egregor and DoppelPaymer operations.
“In this case, we see that an Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected Doppelpaymer administrator wallet,” researchers said.
“Though we can’t know for sure, we believe that this is another example of affiliate overlap. Our hypothesis is that the Egregor-labeled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators.”

Image: Chainalysis
And last but not least, Chainalysis researchers also found evidence that the operators of the Maze and Egregor operations also used the same money-laundering service and over-the-counter brokers to convert stolen funds into fiat currency.
Since several security firms have suggested that the Egregor RaaS is a rebrand and continuation of the older and defunct Maze operation, such findings come to support these theories, showing how old Maze tactics permeated to the new Egregor operation.

Image: Chainalysis
Report confirms observations made by security firms
“Interesting report and very much aligns with what we are seeing,” Allan Liska, a security researcher with threat intel firm Recorded Future, told ZDNet.
“Recorded Future is seeing more fluidity in the RaaS market now than at any other time in the (admittedly short) history of the RaaS market.
“Part of this is because of the reality that there is a growing stratification between the haves and have nots in ransomware. There are fewer actors making a lot of money, so ransomware actors are jumping from one RaaS to another to improve their chances of success,” the Recorded Future analyst said.
Furthermore, Liska says there are other connections and overlaps between other RaaS groups, and not just Maze, SunCrypt, and Egregor.
The Recorded Future analyst pointed to the Sodinokibi (aka REvil) RaaS operation as being one of the services where many groups overlap, primarily because the Sodinokibi administrator, an individual going by the name of Unknown, has often actively and openly recruited affiliates from other RaaS programs.
Interconnected landscape is actually a good sign
But while we might view these connections and overlaps as a sign of successful cooperation between cybercrime groups, Chainalysis believes that this interconnectedness is actually a good sign for law enforcement.
“The evidence suggests that the ransomware world is smaller than one may initially think given the number of unique strains currently operating,” Chainalysis said.
This, in theory, should make cracking down and disrupting ransomware attacks a much easier task since a carefully planned blow could impact multiple groups and RaaS providers at the same time.
According to Chainalysis, these weak spots are the money-laundering and over-the-counter services that RaaS operators and their affiliates often use to convert their stolen funds into legitimate currency.
By taking out legitimate avenues for converting funds and reaching real-world profitability, Chainalysis believes RaaS operations would have a hard time seeing a reason to operate when they can’t profit from their work. More