Information Technology

The business of cybersecurity companies is to keep users safe from hackers and cyber attacks but almost all cybersecurity providers have themselves had data leaked or stolen and published on dark web forums.
Research by application security company  Immuniweb found that nearly all of the top cybersecurity companies have had corporate data exposed and shared on the cyber criminal underground – including login credentials like usernames and passwords.
Compromised servers, social engineering and password re-use are among the reasons for data spillages.
“The cases really vary across the victims, ranging from compromised servers that were apparently forgotten by the victims, to targeted attacks against employees leveraging social engineering and phishing. A considerable number of incidents stems from third parties where employees of the victims were using their professional email addresses to sign in,” Ilia Kolochenko, CEO of Immuniweb told ZDNet.
Researchers were able to uncover over 600,000 records containing plain text credentials or personal information.
And while the majority of passwords discovered in these breaches are described as strong, 29 percent would be considered weak, containing less than eight characters, no numbers, no special characters and no capital letters.
Common weak passwords like ‘password’ and ‘123456’ appear over 1,000 times each in the data analysed, while others like ‘password1’ ‘12345678’ and ‘qwerty’ appear hundreds of times.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
It seems that cybersecurity companies suffer from the same password problems that other organisations have to deal with – in that some systems might just be forgotten about or they have simple passwords for some accounts.
“Some of these accounts were probably not designed to gatekeep access to critical data, and were occasionally just used to login to different non-critical systems that were eventually compromised,” Kolochenko explained.
“One also needs to consider that not all employees of cybersecurity companies are security professionals – a number of employees have nothing to do with cybersecurity practice and have insufficient internal training. The bigger the company is, the more human risk it will inevitably have to address,” he added.
The findings serve as a reminder that cyber crime poses a risk to everyone and that organisations should ensure that they follow best practices when it comes to security.
This includes using complex passwords, not re-using them for other accounts and that businesses should remain aware of which third-party organisations have access to their data, because that in itself can create risk.
However, organisations – no matter what sector they operate in – can take steps to ensure they’re operating as securely as possible.
“No one is immune from surging cybercrime but we can effectively fix this by implementing informed, risk-based and threat-aware cybersecurity programs in a continuous and holistic manner,” Kolochenko said.
READ MORE ON CYBERSECURITY More

The US Internal Revenue Service (IRS) is soliciting proposals from contractors that believe they can develop technologies able to shatter the privacy surrounding cryptocurrency transactions. 

The IRS solicitation was made public last week, as reported by Coin Telegraph, and has been made on behalf of the IRS’ Criminal Investigation department (IRS-CI). 
IRS-CI is involved in criminal investigations and has played a role in the takedown of Dark Web marketplaces, money laundering programs, and trafficking rings.
Cryptocurrency-related crimes, too, are on the department’s radar. Virtual coins including Bitcoin (BTC), Ethereum (ETH), and Monero (XMR) are often demanded as blackmail payments by ransomware operators; cryptocurrency trading posts are targeted by threat actors and funds stolen; exchange operators perform exit scams and run off with user coins, and crypto may also be used in the Dark Web to purchase illegal items.  
See also: Slovak cryptocurrency exchange ETERBASE discloses $5.4 million hack
While cryptocurrency has rapidly become a legitimate and innovative industry in its own right, the use of blockchain technologies and the emergence of privacy-focused coins that aim to prevent transaction tracing is of concern to the IRS and law enforcement.
The agency says that Monero, in particular, is rapidly becoming popular with cybercriminal groups, noting that ransomware group Sodinokibi has now moved from Bitcoin to Monero due to “privacy concerns.”
“The use of privacy coins is becoming more popular for general use, and is also seeing an increase in use by illicit actors,” the IRS says. “Currently, there are limited investigative resources for tracing transactions involving privacy cryptocurrency coins such as Monero, Layer 2 network protocol transactions such as Lightning Labs, or other off-chain transactions that provide privacy to illicit actors.”
IRS-CI is asking for proposals from one or more contractors to “provide innovative solutions for tracing and attribution of privacy coins and Layer 2 off-chain transactions,” including tools, software, data, and algorithms.
Prototypes and suggested methods to trace cryptocurrency transactions should including tracking capabilities for law enforcement, predictive analytics, and should have as little reliance on vendor-specific technologies as possible. 
CNET: Avoid the new text message scam about package deliveries
“All solutions must support cryptocurrency transactions that occurred in 2020,” the proposal reads. “All solutions must support open standards for interoperability (common file formats, REST APIs, etc. as appropriate) to facilitate easy integration into internally developed IRS-CI cryptocurrency analytic systems and data.”
The IRS is offering a $500,000 grant after a prototype and an “initial working system” has been submitted. Contractors are then given eight months to work on their projects, with a further $125,000 awarded on deployment. 
A deadline of September 16, 2020, has been set for applications. 
TechRepublic: How to manage app permissions in Android 11
In August, CipherTrace claims to have developed a Monero-tracking tool for the US Department of Homeland Security (DHS). According to the company, the tracing tools are able to “visualize Monero transaction flows for criminal investigations.”
Earlier this week, cryptocurrency exchange ETERBASE disclosed a security incident in which $5.4 million in funds was allegedly stolen. The organization said the lost cryptocurrency — including Bitcoin, Ether, and Ripple — was held in hot wallets, storage facilities with active internet connections. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

ThreatConnect has acquired Nehemiah Security to bring Cyber Risk Quantification (CRQ) to the firm’s existing cybersecurity solutions range. 

Announced on Thursday, the deal — made through ThreatConnect’s purchaser entity NS Holdings LLC — will see all of Nehemiah Security’s assets transferred over to ThreatConnect. 
The financial terms of the deal were not disclosed. 
Founded in 2015, Washington DC-based Nehemiah Security is a startup that focuses on the CRQ space. 
According to the company, cybersecurity concerns may “block or suffocate” business initiatives, however, they can also “fuel and empower business initiatives” when staff have a strong grasp on what resources and business-critical processes they need to protect — as investments can be funneled into the correct channels and disruption can be kept to a minimum.
See also: Secureworks acquires vulnerability management platform Delve
“This is no simple task,” the company said in a blog post. “Many security teams dive in headfirst and get lost in the weeds. Starting this change from the bottom-up is a grind, one that doesn’t get far. A successful program starts from the top, with a CISO that understands the business proportionately to cyber and can communicate, in financial terms, how security investment underpins business operations.”
This is where CRQ comes in. By implementing risk assessment methodologies and solutions at the start of the security lifecycle, this can give enterprises a clearer idea of the cybersecurity risks a company faces, and how best to balance investment while maintaining shareholder value. 
CNET: Avoid the new text message scam about package deliveries
Nehemiah Security’s CRQ solutions will be added to ThreatConnect’s existing Threat Intelligence Platform (TIP), which includes security orchestration, automation, and threat response technologies. Specifically, Nehemiah’s Risk Quantifier (RQ) is now under the ThreatConnect brand. 
RQ leverages different sets of risk models including the Factor Analysis of Information Risk (FAIR) model. ThreatConnect says a risk-based approach “makes prioritization easy for security teams, enabling them to filter out noise and focus on what matters most.”
TechRepublic: How to manage app permissions in Android 11
“The decision to acquire Nehemiah was an easy one as they are ahead of the market in terms of their ability to automate cyber risk quantification,” commented Adam Vincent, ThreatConnect CEO. “They help overcome much of the pain felt by early CRQ adopters where manual data collection and lengthy professional services engagements are the norm.”
Earlier this week, Secureworks announced the acquisition of Delve, a provider of an AI and machine learning-based platform for vulnerability assessment and prioritization. Financial details were not disclosed. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Department of Home Affairs Secretary Mike Pezzullo
Screenshot: Asha Barbaschow/ZDNet
Aside from his passion for test cricket and disappointment at not getting the call to be the St George Dragons’ new NRL coach, Secretary for the Department of Home Affairs Mike Pezzullo shared a few things about the future of cybersecurity within Australia and expanded on what to expect from the nation’s 2020 Cyber Security Strategy.
Being interviewed by Alastair MacGibbon, who prior to heading up his own Australian cybersecurity megamix, CyberCX, was former Prime Minister Malcolm Turnbull’s special advisor on cyber, Pezzullo was asked where the government was at with its own cybersecurity.
Placing some of the blame on gaps in legacy systems, the complexity involved in decommissioning decades-old investments, and a large attack surface that is the Commonwealth, Pezzullo said the cybersecurity strategy would provide the opportunity to do better.
“This isn’t a silver bullet that will solve all problems, but we’re looking to consolidate at least the attack surface to better defend it; fewer hubs, so the larger players who have got the depth, they’ve got the skills, they’ve got the resources. 
“In some cases, they’ve got the connectivity to the ASD (Australian Signals Directorate) in real-time. They can provide us with that threat picture that is unique to the signals authority, but also in some cases, larger departments have got more capacity,” Pezzullo explained.
He said while providing a “hard external shell” would not obviate the other work that is needed to protect the endpoint and deal with the human element of cybersecurity, it would at least block out some of the threat.
More wisdom from Mike: Australian Home Affairs thinks its IT is safe because it has a cybermoat
Pezzullo, alongside counterparts from Treasury and the Department of Industry, are all part of a strategies board that has been charged under the cybersecurity strategy with developing what he was hesitant to label as “regulation”.
“The strategies board has formed itself around this issue … we’re going to work through how we get to scale, how are we going to consolidate, and where there are known vulnerabilities because in some cases you’ve got systems that are quite old. Coding’s old, the vulnerabilities are known, but it’s not a simple matter because you’ve got to migrate,” he said. 
“In some cases, taking systems down and offline to even patch creates risk.
“So how do you, with a known vulnerability, mitigate and put alternative measures in place until, over time, new investment comes through to allow you to decommission and build in a world of virtualised systems and a world where cybersecurity is frankly more built into the design of modern systems? 
“While you’re waiting for that investment to flow through, you can decommission some of those older systems [but] how can you at least create a perimeter around those systems that at least block out more of the threat?”
He expects by the end of this financial year, the board will have a single cybersecurity hub strategy that maps out all of the known vulnerabilities and is a place where government can place local defences to protect all points and “harden that external shell”.
“I think the operating model for federal government cyber will need to change, because to do all of the things I’ve just suggested, you can’t just put it in a box and call it ‘cyber’ then have your network operations and your architecture and your deployment of apps over here,” Pezzullo said.
He also said certain assets and networks within government would be designated as critical infrastructure to put ASD in a position to actively defend against cyber threats.
Touching further on the strategies board and the “obligations” it determines for consumers, vendors, small businesses, large enterprises, and those involved in critical infrastructure, Pezzullo said something that “looks like a regulatory scheme”, would, by definition, have to emerge.
“Because whether it’s a function of consumer protection, consumer choice, or whether quite probably, small or medium enterprises, larger enterprises, and ultimately the very top of the commercial food chain — those larger enterprises that run critical infrastructure or assets or networks within critical infrastructure — are going to want to have confidence that the entity that they’re engaging with is accredited; is properly fit for purpose,” he said.
“How exactly we get the regulatory; how we land is the work of the next 12-18 months with the regulatory taskforce.”
Pezzullo said market and regulatory forces inevitably bring about a model that works, adding that he’s hedging on it.
Pointing to the banning of Huawei without mentioning the Chinese company by name, Pezzullo said such industry is being shaped around the emergence of 5G.
“You’ve seen this in 5G where government regulation starts to set the parameters of risk [that] may or may not conform with the definition of being an appropriate vendor,” he said.
“I think cybersecurity is one of those areas we should be seriously looking at in terms of sovereign capability, especially as we think about the recovering reconstruction coming out of COVID. 
“Where are the jobs going to come from, where are the new industries.”
Pezzullo believes the 2020 strategy, alongside the 2016 document and the AU$1.5 billion CESAR package, “will be so transformative”.
“In four or five years’ time, you and I will be sitting here … saying the whole landscape is transformed. There’s a deeper industry, we have more weapons and tools to protect critical sectors, we’re on the front foot in terms of actively defending some of those sectors … we’ve got an innovative sector here that is a continental version of Israel or Singapore,” the secretary added.
READ ALSO More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Microsoft said today that Chinese, Iranian, and Russian state-sponsored hackers had tried to breach email accounts belonging to people associated with the Biden and Trump election campaigns.
The “majority of these attacks” were detected and blocked, according to Tom Burt, Corporate Vice President for Customer Security & Trust at Microsoft.
Burt disclosed the incidents in a blog post today after Reuters reported yesterday some of the Russian attacks against the Biden camp.
In a comprehensive blog post, Burt revealed additional attacks and also confirmed a DNI report from August that claimed that Chinese and Iranian hackers were also targeting the US election process.
Russian attacks
According to Microsoft, the attacks carried out by Russian hackers were linked back to a group that the company has been tracking under the name of Strontium and the cyber-security industry as APT28 or Fancy Bear.
Microsoft says this group has been particularly active, targeting more than 200 organizations all over the world between September 2019 and today, with victims including:
US-based consultants serving Republicans and Democrats;
Think tanks such as The German Marshall Fund of the United States and advocacy organizations;
National and state party organizations in the US
The European People’s Party and political parties in the UK
Microsoft said that while Strontium usually carried out spear-phishing email attacks, in recent months, the group has been using brute-force and password spraying techniques as a complementary method to breaching accounts.
Since these attacks are very noisy and easy to detect, Microsoft said Strontium has been hiding its credentials mass-harvesting operations by using “more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service” and by “adding and removing about 20 IPs per day to further mask its activity.”
Iranian attacks
On the other hand, the attacks carried out by Iranian hackers came from a group tracked as Phosphorous (APT35, Charming Kitten, and the Ajax Security Team).
These attacks are a continuation of a campaign that started last year, and which Microsoft detected and warned about in October 2019.
At the time, Microsoft warned that the hackers targeted “a 2020 US presidential campaign,” but did not name which one. Through some open-source detective work, several members of the security community later tied the attacks to the Trump campaign.
Today, Microsoft confirmed that the attacks indeed targeted the Trump campaign, but also revealed new activity related to the group.
“Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff,” Burt said.
Furthermore, Burt added that after Microsoft used court orders to take control of 99 Phosphorus domains in March 2019, they used the same tactic again to take over another 25 domains last month, which brought the company’s total to 155 domains formerly owned by Phosphorus.
Chinese attacks
But attacks were also detected from Chinese groups. While currently there are tens of hacking groups that are believed to operate under orders and the protection of the Chinese government, Microsoft said that the attacks targeting US campaigns came from a group known as Zirconium (APT31), which is the same group that Google spotted earlier this year, in June.
Microsoft says it detected thousands attacks orchestrated by this group between March 2020 and September 2020, with the hackers gaining access to almost 150 accounts during that timeframe.
The targets of these attacks usually fell into two categories:
People closely associated with US presidential campaigns and candidates.
Prominent individuals in the international affairs community, academics in international affairs.
In the first category, Microsoft listed the Biden campaign (through non-campaign email accounts belonging to people affiliated with the campaign) and attacks against at least one individual formerly associated with the Trump Administration. More

Pros
✓355 degrees panning
✓Works with 2.4GHz and 5GHz
✓40ft detection range

Cons
✕Slight comms lag

The Reolink E1 zoom indoor security camera is a nice device, small at 111mm high, unobtrusive at 79mm wide, and has a range of features that you can set and forget. 
Like the Netvue Orb and the Heimvision HM302 indoor cameras, the E1 zoom has pan and tilt control. It will pan up to 355 degrees and tilt up to 50 degrees so it can be situated anywhere in a room to give complete coverage.
Unlike most other devices that connect to Wi-Fi, the E1 zoom has a dual-band Wi-Fi connection, so there is no need to faff about trying to connect the device to 2.4GHz.

Its images are sharp and clear with a resolution of 2560 x 1920 5-megapixel camera with its daylight and f2.8-8mm autofocus, F1.6, with IR cut.
This camera does not include an SD card, but you can install your own micro SD card up to 64GB in size.
Alternatively, you can back up your 20fps videos to the Reolink Cloud, or purchase an optional Reolink NVR (Network Video Recorder) unit that will support up to 8 or 16 cameras and has a hard drive of either 2TB or 3TB.
Top ZDNET Reviews

Inside the box, there is the camera, a mounting plate, a power adapter, and some screws. There is also a quick start guide, a template for where to drill the holes in the wall for the mount, and a surveillance sign to stick in the window.
Setting up the camera, like the Reolink Argus PT outdoor security camera is simple. All you need to do is install the Reolink app, scan the QR code on the bottom of the camera, and connect the camera to your Wi-Fi.
Then show the QR code that is generated on the app to the security camera, and connect the camera to the app. Streamlined and simple.
The app is also simple to use. Zoom in to see objects in detail and talk to people in the room from wherever. 
You can set email alerts and notifications, and configure a siren to sound at your command or at preconfigured times of the day. You can also record a personalized audio alarm.
Eileen Brown
The sound is excellent, so you can record and hear what is happening at home when you are away. Although my internet connection speed means I had a slight comms lag, it was not an issue to talk through the camera to the person in the room.
In the dark, the camera will detect movement up to 40 feet away, slightly further than the $35 Netvue Orb at 32 feet or the $51 Heimvision HM302 at 30 feet.

Eileen Brown
The more expensive SimCam 1S can detect movement up to 60 feet away. The picture quality is crisp and clear — even in pitch black rooms.
All in all, this is a nice security camera with a good app and crisp images. For around $70, the Reolink E1 Zoom indoor security camera will give you all-round monitoring and peace of mind. More

Image: Coalition

Ransomware incidents have accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by Coalition, one of the largest providers of cyber insurance services in North America.
The high number of claims comes to confirm previous reports from multiple cyber-security firms that ransomware is one of today’s most prevalent and destructive threats.
“Ransomware doesn’t discriminate by industry. We’ve seen an increase in ransom attacks across almost every industry we serve,” Coalition added.
“In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks amongst our policyholders, with the average ransom demand increasing 47%,” the company added.
Among the most aggressive gangs, the cyber insurer listed Maze and DoppelPaymer, which have recently begun exfiltrating data from hacked networks, and threatening to release data on specialized leak sites, as part of double extortion schemes.
Based on cyber insurance claims filed by customers who faced a ransomware attack in the first half of 2020, Coalition said the Maze ransomware gang was the most greedy, with the group requesting ransom demands six times larger than the overall average.

Image: Coalition
But besides ransomware incidents, Coalition said it also recorded a spike in the number of cyber insurance claims filed for funds transfer fraud attacks and business email compromise (BEC) events, with the first growing 35% from 2019 to 2020, and the second growing 67%.
Both are similar types of incidents, where criminal gangs trick a company into making a payment into an attacker-controlled account. The difference is that funds transfer fraud attacks can also occur via phone call or mail; BEC attacks are carried out purely via email.
Reported losses from these incidents have ranged from the low thousands to well above $1 million per event, but Coalition says that companies using Microsoft Office 365 have seen 3.2 times more BEC incidents than organizations using other types of email providers.
Nonetheless, Coalition said that in many cases of funds transfer fraud attacks, as well as BEC attacks, lost funds could be recovered, with quick intervention.
“Since the beginning of 2018, […] we’ve been able to recover funds in 55% of all cases, and we’ve recovered 84% of lost funds for these clients,” the cyber insurer said.

Image: Coalition More

Microsoft’s Patch Tuesday security update for Windows 10 version 2004 has reportedly broken Windows Subsystem for Linux 2 (WSL2). 
Multiple Windows 10 version 2004 users are reporting they’re unable to launch WSL2 after installing Tuesday’s security update, detailed in KB4571756. The update pushes Windows 10 2004 up to build number 19041.508. 

WSL2 provides a full Linux kernel built into WSL2, as well as improved system-call support for all Linux apps, including Docker, FUSE, rsync, and more. WSL2 shipped with Windows 10 version 2004, aka the May 2020 Update, and recently was made available for Windows 10 1903 and 1909. 
As spotted by BleepingComputer and TechDows, a user on GitHub has reported that after installing KB4571756 WSL2 crashes and shows the errors ‘Element not found’ and ‘Process existed with code 4294967295’.
Several other Windows 10 2004 users reported that uninstalling KB4571756 and reverting to build number 19042.487 allows WSL2 to start again.
One user who was on Windows 10 Home didn’t have any problems with WSL2 after installing the update, noting that Windows 10 Home edition doesn’t support Hyper-V natively whereas Windows 10 Pro does. 
Another user who did not have Hyper-V installed also didn’t run into any issues with WSL2 after installing KB457175. 
Microsoft rearchitected WSL 2 so that it provides a Microsoft-written Linux kernel running in a lightweight virtual machine that’s based on the subset of Hyper V. 
Microsoft has yet to acknowledge the WSL2 reports linked to the update. While uninstalling the update via Settings and Update History appears to resolve the issue, Windows 10 2004 users who do that should be aware that it will also remove patches for 20 critical vulnerabilities that were addressed in the September security update.  

Open Source More