Information Technology

After launching a New Zealand chapter last month, Australian cybersecurity powerhouse CyberCX has already started its expansion, adding Insomnia Security to its growing list of companies.
Based in Auckland, with offices in Wellington, Insomnia Security is known for its team of 30 specialised security testers. Founded in 2007, the company specialises in offensive security testing services and is touted by CyberCX as defending against the most current attacks and exploitation techniques through expert training, research, and tool development.
See also: Cybersecurity: These two basic flaws make it easy for hackers to break into your systems
The team of 30 will join the CyberCX brand.
“We are delighted to join CyberCX,” Insomnia Security managing director Brett Moore said. “What CyberCX is building is truly unique — New Zealand’s most formidable force of cybersecurity professionals. A world class cybersecurity capability with a dedicated trans-Tasman focus. We are very proud to be part of it.”
CyberCX, backed by private equity firm BGH Capital, in October brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as CEO John Paitaridis, who was formerly Optus Business’ managing director.
In announcing it was launching in New Zealand, the company said it was cementing its position as the region’s “leading cybersecurity player”, creating a full-service cybersecurity operator in the country.
“New Zealand is a natural market focus for CyberCX. With the exponential growth in the number of cyber attacks on Australian and New Zealand businesses and government agencies, and the aggressive tactics we are seeing from threat actors, we need to significantly bolster our trans-Tasman cyber capability to secure our companies and sovereign interests, in particular, Australian and New Zealand critical infrastructure including utilities, agricultural, financial systems, logistics, and supply chain,” Paitaridis said at the time.
Paitaridis said the Insomnia Security acquisition has established CyberCX’s penetration testing workforce as the largest in the region.
“Insomnia Security provides CyberCX with a significant enhancement to our security testing expertise and a major boost to our trans-Tasman capability,” he said.
“The Insomnia Security team has a global reputation, specialising in offensive security testing services. With a customised client-focused approach, Insomnia Security identifies key cyber threats and works strategically with organisations to contain cyber threats before they become a serious breach.”
CyberCX has also scooped up two Melbourne-based startups since it launched, Basis Networks and Identity Solutions.
LATEST KIWI NEWS More

Image: Dmitry Bayer

Music recording powerhouse Warner Music Group has disclosed today a security incident that involved some of the company’s online stores.
Called “web skimming” or “magecart,” this type of attack happens when hackers take control over a website and insert malicious code that logs customer details entered inside payment forms.
In a data breach notification letter filed today with the Office of the Attorney General in the state of California, Warner Music said it suffered one such attack earlier this year.
Between April 25 and August 5, Warner Music said hackers compromised “a number of US-based e-commerce” that were “hosted and supported by an external service provider.”
“Any personal information you entered into one or more of the affected website(s) between April 25, 2020 and August 5, 2020 after placing an item in your shopping cart was potentially acquired by the unauthorized third party,” the company said.
“This could have included your name, email address, telephone number, billing address, shipping address, and payment card details (card number, CVC/CVV and expiration date).”
Payments made through PayPal were not impacted, Warner Music added.
However, this is about where the data breach notification ends being useful. Warner Music didn’t list the stores where the malicious code was injected, meaning regular shoppers wouldn’t be able to tell if they were impacted or not.
Since the company manages tens of smaller music studios, it is unclear which of these were affected.
Warner Music is now offering free credit monitoring through Kroll — details included in the notification letter linked above. More

Facebook engineers manage one of the biggest software portfolios in the world, with tens of apps and millions of lines of code that provide a wide variety of services to billions of users around the world.
Managing this gigantic codebase is hard work due to its sheer size, and, of course, its complexity.
Finding security bugs in this giant pile of code isn’t always simple, but trough in-house-developed static analysis tools like Pysa and Zoncolan, Facebook has made a concerted effort to find issues before they reach public-facing code.
However, not much has been revealed about what happens when Facebook engineers discover security bugs inside their code.
Obviously, the vulnerability is patched, but some bugs are harder to fix than others. That’s because not all of Facebook’s code is unique. A large portion of Facebook’s applications is also propped up by smaller libraries developed by third-parties.
For the past few years, Facebook has often found vulnerabilities in these third-party components, which the company’s security team has always reported to their respective owners.
However, not all disclosures have gone to Facebook’s liking. Some library developers have fixed bugs within days, while in other cases, Facebook had to fork libraries patch the code itself, or develop its own in-house alternatives.
But Facebook doesn’t believe this shouldn’t be the norm, as it’s not fair to the other users of these third-party libraries, most of which will continue to use the unpatched code.
A way through which Facebook wants to address these problematic disclosures is through a new policy the company intends to apply, starting today.
Facebook’s new vulnerability disclosure policy
Called a “vulnerability disclosure policy,” these are a set of rules that Facebook engineers plan to apply when reporting vulnerabilities they find to third-party entities.
According to a summary of these new rules, Facebook promises to “make a reasonable effort to find the right contact for reporting a vulnerability” to any third-party entity.
After contact is made, Facebook says it will provide an in-depth technical report describing the bug, but if a company/developer doesn’t acknowledge receiving this report within 21 days, its engineers will publicly disclose bug details online so other users/developers can protect their products.
Third-parties who acknowledge reports have 90 days to fix issues, which is the unofficial standard timeframe in the software community that bug hunters give companies to patch security flaws.
While Facebook might give some companies some leeway over this 90-day deadline, once this passes, Facebook says it will publicly disclose bug details and let users and companies mitigate the third-party bug as they see fit.
The only situation where Facebook will go public right away is when a bug in a third-party component is under active exploitation. Not all zero-days, as these bugs are also called, will be disclosed right away, however, but only those cases where disclosing the bug helps users stay safe.
These VDPs, or “ethics statements,” as their also known, are not unique to Facebook, and other companies and even independent security researchers have one, usually listed on their websites.
For example, this is the VDP of Project Zero, a security team inside Google that’s specialized in finding security flaws in products usually deployed inside Google’s own network.
Each VDP is unique, and Facebook’s is pretty standard when it comes to it, so third-parties shouldn’t have any issues with following its basic rules.
A more in-depth look at Facebook’s VDP is available below:
Reporting 
Facebook will make a reasonable effort to find the right contact for reporting a vulnerability, such as an open source project maintainer. We will take reasonable steps to find the right way to get in touch with them securely. For example, we will use contact methods including but not limited to emailing security reporting emails (security@ or secure@), filing bugs without confidential details in bug trackers, or filing support tickets. 
The contact should acknowledge the report as soon as reasonably possible. 
The contact should confirm whether we’ve provided sufficient information to understand the reported problem. 
In its report, Facebook will include a description of the issue found, a statement of Facebook’s vulnerability disclosure policy, and the expected next steps.
If needed, Facebook will provide additional information to the contact to aid in reproducing the issue. 
If we do not receive a response within 21 days from a contact acknowledging the report of a vulnerability, we will assume that no action will be taken. We then reserve the right to disclose the issue.
For purposes of the disclosure timeframe, Facebook’s sending the report constitutes the start of the process. 
Facebook will generally decline to sign non-disclosure agreements specific to an individual security issue that we have reported.
 
Mitigation & Timeline
Whenever appropriate, Facebook will work with the responsible contact to establish the nature of the issue and potential fixes. We will share relevant technical details to help expedite the fix.
The contact should be as transparent as possible about the mitigation progress. They are expected to make reasonable effort to fix the reported issue within 90 days.
Facebook will coordinate the disclosure with the availability or rollout of the fix. 
If no fix is forthcoming at the 90-day mark, we will notify the contact of our intent to disclose the reported issue. 
If there are no mitigating circumstances, we will disclose the issue as soon as we are reasonably able to do so.
 
Disclosure
Depending on the nature of the problem, there may be a number of disclosure paths: 1) we may disclose the vulnerability publicly, 2) we may disclose it directly to the people using the project, or 3) we may issue a limited disclosure first, followed by a full public disclosure. Facebook will work with the contact to determine which approach is most appropriate in each case.
Our intent is to disclose vulnerabilities in a way that is most helpful to the community. For example, we may include guidance on workarounds, methods for validating patches are in place, and other material that helps people contain or remediate the issue. 
We may choose to include a timeline to document communication and remediation actions taken by both Facebook and the third party. Where reasonable, our disclosure will include suggested steps for mitigating actions.
We will include a CVE when available, and, if necessary, issue an appropriate CVE.
Additional disclosure considerations
Here are some potential scenarios when Facebook may deviate from our 90-day requirement:

If the bug is actively being exploited, and disclosing would help people protect themselves more than not disclosing the issue. 
If a fix is ready and has been validated, but the project owner unnecessarily delays rolling out the fix, we might initiate the disclosure prior to the 90-day deadline when the delay might adversely impact the public.
If a project’s release cycle dictates a longer window, we might agree to delay disclosure beyond the initial 90-day window, where reasonable.

Facebook will evaluate each issue on a case-by-case basis based on our interpretation of the risk to people. 
We will strive to be as consistent as possible in our application of this policy.
Nothing in this policy is intended to supersede other agreements that may be in place between Facebook and the third party, such as our Facebook Platform policies or contractual obligations. More

Facebook will launch today a new web page where the company plans to list all the vulnerabilities that have been identified and patched in the WhatsApp instant messaging service.
The app maker regularly publishes WhatsApp release notes on the iOS and Google Play Store pages; however, these changelogs don’t go into detailed descriptions of the patched security bugs, most of which are described only as “security fixes.”
Facebook says this is “due to the policies and practices of app stores,” but hopes the new page will effectively work as a security-focused changelog for interested users.
Details that will be listed on Facebook’s new WhatsApp security advisories page will include a short description of the bug, and a Common Vulnerabilities and Exposures (CVE) identifier, where possible.
CVE numbers are meant for security researchers who want to track bugs, possible exploitation attempts in the real-world, or for security firms that want to issue security alerts to their own customers.
Facebook said that bugs listed on this page don’t necessarily mean they have been exploited in the wild. All the vulnerabilities listed on the site are bugs that have been recently patched, and the new page should stand as an example and warning to why users need to keep the WhatsApp app up-to-date at all times in order to prevent future attacks.
In addition, the new WhatsApp security advisories page will also list bugs patched in libraries used by the app.
If these bugs have a broader impact, outside of the WhatsApp app, then Facebook said it would also notify the developers of those libraries and mobile OS makers.
“We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts,” Facebook said today.
“We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available.” More

So sad.
Screenshot by ZDNet
You’re so silly, you.

Apple in the Enterprise: A Strategic Guide
Once a pariah in the enterprise, Apple has quietly emerged as a darling of executives and professionals because of the ease of use of the iPhone and the iPad. We look at how the influx of Apple devices is changing the tech landscape in business.
Read More

You spend all day on your phones and laptops and you have no idea just how much of what you say and do via these things simply isn’t private.
You just don’t care, do you? 
It’s like walking up to strangers and shouting your credit card number. Or telling them your heart rate. Or revealing that you’re trying to divorce your ever-loving spouse.
You have to laugh, don’t you?
Well, Apple does. Its latest ad is a vertiable litany of humanity’s sins, as it blithely tosses privacy to the winds. In favor of immediacy, convenience and sheer laziness.
Here we see people going through their everyday lives, exposing themselves on the subway, in a restaurant, on the street and even in a restroom.
Exposing their private information, that is.
Buy an iPhone and your life will be private, says the ad. Wait, or does it?
[embedded content]
Well, what’s interesting here is that there are no phones in the main part of the ad, so we have no idea whether at least some of these people might actually be iPhone users.
Moreover, Apple’s promise at the end is carefully worded: “Some things shouldn’t be shared. iPhone helps keep it that way.”
Helps is correct. Apple does try harder to preserve what’s left of human dignity.
Yet, as a blisteringly depressing Washington Post article last year revealed, in one week with an iPhone thousands of trackers — mostly in apps — merrily sent on the user’s identifiable information to others.
There’s little hope of actual privacy when the whole tech ecosystem is built on stalking.
That’s what recently led a top LG executive to dump Chrome for Brave.
The vast majority of people, however, can’t be bothered. If they think about tracking at all, they think it’s inevitable. If they think about privacy at all, they vaguely remember it used to exist.
For Apple, of course, marketing privacy is a way of suggesting its brand is more purely attuned to humanity’s needs and feelings.
The snag is, of course, that humans are very good at ruining themselves without any help at all. More

More than a dozen internet service providers (ISPs) across Europe have reported DDoS attacks that targeted their DNS infrastructure.
The list of ISPs that suffered attacks over the past week includes Belgium’s EDP, France’s Bouygues Télécom, FDN, K-net, SFR, and the Netherlands’ Caiway, Delta, FreedomNet, Online.nl, Signet, and Tweak.nl.
Attacks lasted no longer than a day and were all eventually mitigated, but ISP services were down while the DDoS was active.
NBIP, a non-profit founded by Dutch ISPs to collectively fight DDoS attacks and government wiretapping attempts, provided ZDNet with additional insights into the past week’s incidents.
“Multiple attacks were aimed towards routers and DNS infrastructure of Benelux based ISPs,” a spokesperson said. “Most of [the attacks] were DNS amplification and LDAP-type of attacks.”
“Some of the attacks took longer than 4 hours and hit close to 300Gbit/s in volume,” NBIB said.
The DDoS attacks against European ISPs all took place starting with August 28, a day after ZDNet exposed a criminal gang engaging in DDoS extortion against financial institutions across the world, with victims like MoneyGram, YesBank India, Worldpay, PayPal, Braintree, and Venmo.
While ZDNet does not yet have any evidence that the two series of incidents are connected, the DDoS attacks against financial services subsided right as the attacks against European ISPs got underway.
Furthermore, sources tracking the extortion group told ZDNet that just before attacking financial services, the same gang had also targeted several ISPs in Southeast Asia just weeks before.
In addition, several security experts have also told ZDNet that the massive CenturyLink outage that took place over the weekend is believed to have been the result of an initial DDoS attack. In separate reports, both Cisco and CloudFlare said the outage was caused by a bad Flowspec rule, a typical tool usually deployed when mitigating DDoS attacks. More

A well-resourced hacking operation has deployed newly-developed trojan malware in a campaign targeting financial tech organisations with the aim of stealing email addresses, passwords and other sensitive corporate information – and the malicious code is bundled inside code ripped from legitimate applications.
Known as Evilnum, the advanced persistent threat (APT) group first emerged in 2018 and one of the reasons for their success is how often they’ve changed tools and tactics as they take aim at targets related to Fintech mostly located in Europe and the UK, although some victims are located in the Americas and Australia.
Evilnum’s activity has been varied, with reports of it using different components written in Javascript and C#, and now it has deployed another new tool for attacks. This time, it’s a Python-scripted remote access trojan (RAT) which emerged in recent weeks alongside a new spate of targeted attacks.
Uncovered by cybersecurity researchers at Cybereason who’ve dubbed it PyVil RAT, the trojan allows attackers to secretly steal corporate information through the use of keylogging and taking screenshots, as well as the ability to collect information about the infected system, including which version of Windows is running, what anti-virus products are installed and whether USB devices are connected.
Previous Evilnum attacks have begun with highly targeted spear phishing emails and the PyVil delivery campaign is similar, although rather than delivering Zip archives like before, the compromise begins with emails containing an LNK file masquerading as a PDF.
The phishing emails claim to contain identification documents associated with banking, including utility bills, credit card statements and even drivers license photos.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
If opened, the file will start a sequence which ultimate sees the compromised machine connected to Evilnum’s command and control servers and the trojan malware dropped on the system – and able to to provide instructions and potential additional functionality to PyVil – all while staying hidden from the victim.
One of the reasons the new trojan is able to do this is because the malicious code is obfuscated behind many different layers, including being bundled inside code from legitimate software which has somehow been plucked and wrapped around the malware.
“This tactic works to their advantage in several ways, including avoiding detection and maintaining persistence – the abuse of legitimate code is more common with more sophisticated actors,” Tom Fakterman, threat researcher at Cybereason told ZDNet.
While it remains unclear who the cyber criminals behind Evilnum ultimately are, the highly targeted nature of the attacks combined with the way in which they’re constantly changing their tactics leads researchers to believe that it’s a highly professional, well-resourced campaign.
Evilnum is thought to remain active and it’s likely only a matter of time before the group changes it’s tools and techniques for targeting organisations in the Fintech space once more.
“We still see samples of the malware pop up and we see that the threat actors infrastructure is still active. The best way of protection is education, improving security hygiene and teaching employees not to be duped into opening phishing emails and not downloading information from dubious websites,” Fakterman said.
READ MORE ON CYBERSECURITY More

MIT has debuted a new platform designed to help the enterprise decide how to invest in cybersecurity. 

On Thursday, MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) launched the Secure Cyber Risk Aggregation and Measurement (SCRAM) cryptographic platform (.PDF), which aggregates data to show the weakest spots in security — and those leading to the worst financial losses. 
According to the researchers, at a time when many organizations are restructuring and cutting costs due to the disruption caused by COVID-19, a technological solution that is able to quantify an organization’s security posture and recommend what areas to prioritize is valuable. 
See also: Lazarus group strikes cryptocurrency firm through LinkedIn job adverts
SCRAM, developed by Taylor Reynolds, technology policy director at MIT’s Internet Policy Research Initiative (IPRI), economist Professor Andrew Lo and cryptographer Vinod Vaikuntanathan, does not require users to reveal sensitive corporate data, but instead, builds its recommendations based on existing security incidents without accessing the finer points of each event. 
The team says that the platform has three goals: to quantify how secure an organization is, how their security compares to rival companies, and to evaluate whether or not cybersecurity is being given the right budget — and if not, what priorities should be changed.  
CNET: Best Android VPNs for 2020
During tests, internal data was received by seven enterprise companies averaging 50,000 employees with annual revenue of $24 billion. SCRAM then aggregated data from 50 security incidents at the participating companies using Center for Internet Security Sub-Controls, allowing researchers to analyze the attack vectors and what steps could have potentially prevented each one. 
By using multi-party computation (MPC), the team was able to perform calculations in tandem with the CIS controls, without reading or unlocking the confidential information they were sent. Once analyzed, the participating companies received individual cryptographic keys to unlock each report privately. 
TechRepublic: North Korean hackers are actively robbing banks around the world, US government warns
“The power of this platform is that it allows firms to contribute locked data that would otherwise be too sensitive or risky to share with a third party,” Reynolds says.
The MIT CSAIL team found that the most expensive financial losses, exceeding $1 million, were caused by failures to prevent malware infections; unauthorized communication over ports, and failure to log and manage security incident records.

In the future, the researchers hope that more companies will participate; in particular, from the electricity, financial, and biotech industries. If 70 to 80 companies representing these areas join up, MIT believes it will be able to “put an actual dollar figure on the risk of particular defenses failing.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More