Information Technology

In an attempt to reduce the use of sensationalized and scary vulnerability names, the CERT/CC team launched a Twitter bot that will assign random and neutral names to every security bug that receives a CVE identifier.

Named Vulnonym, the bot is operated by the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University, the first-ever CERT team created, and now a collaborator and partner of the DHS’ official US-CERT team.
The idea for this bot came after the seemingly unending discussions around the topic “if vulnerabilities should have names?”
The problem with vulnerability names
For decades, all major security flaws have been assigned a CVE identifier by the MITRE Corporation. This ID is usually in the format of CVE-[YEAR]-[NUMBER], such as CVE-2019-0708.
These CVE IDs are usually used by security software to identify bugs, track, and monitor bugs for statistical or reporting purposes, and CVE IDs are rarely used by humans in any meaningful way.
Over the years, some security firms and security researchers realized that their work in identifying important bugs could easily get lost in a constant stream of CVE numbers that almost everyone has a hard time remembering.
Companies and researchers realized that the bugs they discovered had more chances to stand out if the bug had a cool-sounding name.

And so the practice of “bug naming” came to be, with the best-known examples being Spectre, Meltdown, Dirty Cow, Zerologon, Heartbleed, BlueKeep, BLESA, SIGRed, BLURTooth, DejaBlue, or Stagefright.
But as time went by, some vulnerability names started to deviate from being descriptive of a security bug and entered the realm of fearmongering and attention-seeking, becoming a marketing shtick.
Things reached a ridiculous level last year when a Cisco bug was named using three cat emojis under the spoken term of Thrangrycat (aka “three angry cats”).
For the past years, many security experts have started to react with vitriol and derision every time a security bug is disclosed, and the bug has a name.
Some major bugs have been played down just because the vulnerability received a name, while seemingly unexploitable bugs were overhyped and received way too much media attention just because they were launched with a name, website, logo, and sometimes even with theme songs.
Yes, vulnerabilities should have names
But in a blog post on Friday, the CERT/CC team decided to put forward a solution to put some order in vulnerability naming. Their answer was the Vulnonym bot, which will assign a two-word codename in the format of adjective-noun to every newly assigned CVE ID.
“Not every named vulnerability is a severe vulnerability despite what some researchers want you to think,” said Leigh Metcalf, a member of the CERT/CC team.
“We aren’t arguing that vulnerabilities shouldn’t have names, in fact, we are encouraging this process!”
Metcalf argues that humans inherently need easy-to-remember terms to describe security bugs because “humans aren’t well conditioned to remember numbers,” such as the ones used for CVE IDs.
She likened the situation to how domain names came to be, as humans are most likely to remember google.com instead of a four-digit IP address where the google.com website is hosted.
“Our goal is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary (or not scary) the particular vulnerability in question is,” Metcalf said. More

The Department of Human Services over five years ago kicked off the program of work to basically replace the then-30-year-old Income Security Integrated System (ISIS) that is used to distribute welfare to Australians.
The project, known as the Welfare Payment Infrastructure Transformation (WPIT) program, was slated to cost around AU$1.5 billion and run from 2015 to 2022.
The Australian National Audit Office (ANAO) last month handed down its examination of WPIT, finding the former department, now known as Services Australia, had “largely appropriate arrangements” in many areas, but was lacking on the cyber and cost monitoring fronts.
Agency representatives told Senators last week that it was currently working on the recommendations made by ANAO.
“We would agree with the ANAO report at that time that there were components of the system that have not been accredited, we have an approved program of work that is going through that accreditation program now,” Services Australia general manager cyber services Tim Spackman said.
“I think it’s worth noting that there is a number of components to that system and even small changes require re-accreditation throughout that process — it’s not a set and forget scenario.”
Spackman said the department has worked closely with the Australian Cyber Security Centre and that it has a “really good capability” in its 24/7 cyber operation centre.

Specifically, Spackman said the department is currently looking at the ISIS component and has “done the lion’s share of that work”. He said completion is due before the year is out.
“I would like to stress though, that the accreditation piece does not mean that nothing’s happening in the interim, we are continually looking at maturing our cyber capability,” he continued. “We just need to accept some of the mitigations and put that into a program of work.
“The system is large and changes of that scale shouldn’t be done quickly or done in an ill-planned way, so it does take some time to ensure that we don’t disrupt services.”
Providing an update of where WPIT is up to, deputy CEO for transformation projects Charles McHardie said Services Australia is currently in tranche four of the project.
He said the agency has been funded to deliver across five key priorities in the final two years of the program. The first, he said, is reusable technology.
“That is rolling out what we call a new payment utility capability, which allows us to replace the current payment capability that sits in the ISIS system, pushing the payment out to the Reserve Bank. So we’re replacing that,” he said.
Services Australia released one payment through that program six weeks ago, the parenting allowance, and coming on Tuesday is scheduled to be pensions.
“That’s been developed in what we call the SAP S4 HANA technology capability,” he said.
The second one is the entitlement calculation engine, which McHardie has called the “heart of the ISIS system”.
“The ISIS system has about 30 million lines of code, so quite complex, and around 4 million lines of that code base is related to entitlement calculations,” he said. 
“This is basically where a customer submits a claim to us, tells us the circumstance of their situation, the system takes that circumstance, any information we already know about them in the core database that supports it, plus any additional information that’s been input by staff as part of that claim process, and comes up with an entitlement calculation based on social security legislation rules, which sit in that system.”
He said based on that, the payment utility would make the payment through the Reserve Bank.
The agency has outsourced this to systems integrator Infosys and is utilising technology from Pegasystems.
“Over the period from now all the way through to the end of 2022, we will replace all of our entitlement calculations with that new capability,” he said. “So they’re what we call the two pieces of reusable tech.”
It is expected Services Australia will use the technology for aged care reform and veteran-centric reform, too.
The agency will then be implementing automation, claim transformation, circumstance updates, and a “data and enabling capability”.
“The main thrust there is to replace all of the screens that our staff use when they process new claims, and when they deal with claim maintenance activity on a daily basis,” McHardie said.
HERE’S MORE More

Together with CISA and the FBI, US Cyber Command wish Russian state hackers a “Happy Halloween!” More

More fuel for Redmond’s fiery plea for trust?
You’ve probably had one or two thoughts about politics lately.

It’s that time of year. The light begins to disappear, both outside your door and inside the eyes of tired, nonsense-peddling politicians.
Perhaps this is what led Microsoft to fully express its own indignation at US politicians’ inability to do what more than 130 other countries have already managed — enact a digital privacy law or two.
Last week, I offered the words of Julie Brill, Microsoft’s corporate vice-president for Global Privacy and Regulatory Affairs and chief privacy officer. (Her business card is 12 inches wide.)
She expressed Redmond’s frustration that the US is so far behind in doing the right thing. She said: “In contrast to the role our country has traditionally played on global issues, the US is not leading, or even participating in, the discussion over common privacy norms.”
Ultimately, however, Brill said the company’s research showed people want business to take responsibility, rather than government.
Which some might think humorous, given how tech companies — Microsoft very much included — have treated privacy, and tech regulation in general, as the laughable burp of a constantly acquisitive society.

I wondered, though, what other companies really thought about all this.
In an attack of serendipity that I hope didn’t come from snooping around my laptop, new research asking those sorts of questions was just published.
Snow Software, a self-described “technology intelligence platform” — you’re nothing if you’re not a platform — talked to 1,000 IT leaders and 3,000 employees from around the world.
This was all in the cause of the company’s annual IT Priorities Report.
I hope Brill and her team at Microsoft are sitting down as they read this. You see, 82% of employees said more regulation was needed. As did 94% of IT leaders. (The other 6% must be doing their jobs from a sandy beach, with a hefty supply of cocktails.)
Yes, Microsoft, more people agree with you more strongly, yet still so little is being done. That won’t soothe your innards. It’ll drive you madder. Sometimes, having the majority on your side still doesn’t make you the winner.
The majority of those surveyed who believed more regulation is necessary pointed to data protection and cybersecurity as the most urgent areas.
In the US, though, IT leaders agreed that the most important area for correction was data protection, but next came data collection. They understand how the mining of our very souls has become entirely uncontrolled.
These US IT leaders placed cybersecurity as third on their list of priorities, followed by universal connectivity and, how bracing that they mentioned this, competition.
I asked Snow to dig deeper into its survey and offer me some unpublished details about its findings. One of the more difficult was that IT leaders said their priorities were adopting new technologies and reducing security risks. Yet the former can cause more of the latter, rather than less. How can you square the two?
Naturally, there was something of a gulf between IT leaders and employees on one issue — technology that’s left unmanaged or unaccounted for.
Far more employees think this is no biggie, whereas IT leaders would like to stand in front of these employees and scream for a very long time. While phrases such as “government fines” and “contractual breaches” emerged from their foamy mouths.
Yet perhaps the most pungent and disspiriting result from this study is that a mere 13% of employees said tech regulations make them feel vulnerable. Last year, the number was 24%.
You might think this good news. You’ll think it suggests security has somehow progressed enormously. 
I’m not quite as optimistic. I worry employees are now so used to living inside technology that, in truth, they’ve entirely stopped thinking about the negative consequences of its insecurity. Whatever other answers they might give in surveys.
Why, here’s an answer employees gave: A trifling 28% said current tech regulations made them they feel safe. That’s only 2 points higher than last year.
Tech regulation isn’t easy. Tech companies have been allowed to swallow our lives whole and leave a complex indigestion for us to deal with. Too often, we don’t even bother trying because, well, it shouldn’t be our responsibility.
These haven’t been responsible times. Tech has moved fast and broken things that really shouldn’t have been broken.
The pieces on the floor are everyone’s. The responsibility for putting them back together lies, as Microsoft now confesses, with the High Humpties of government and business.
I begin to hold my breath. More

Image: Christiaan Colen (Flickr)
Google has announced plans to run its own certificate root program/store for Chrome, in a major architectural shift for the company’s web browser program.
A “root program” or a “root store” is a list of root certificates that operating systems and applications use to verify the identity of a software program during its installation routine.
Browsers like Chrome use root stores to check the validity of an HTTPS connection.
They do this by looking at the website’s SSL certificate and checking if the root certificate that was used to generate the SSL cert is included in the local root program/store.
Chrome will shift from OS root store to its own
Since its launch in late 2009, Chrome was configured to use the “root store” of the underlying platform. For example, Chrome on Windows checked a site’s SSL certificate against the Microsoft Trusted Root Program, the root store that ships with Windows; Chrome on macOS relied on the Apple Root Certificate Program; and so on.
But in a wiki page, shared with ZDNet by one of our readers, Google announced plans to create its own root store, named the Chrome Root Program, that will ship with all versions of Chrome, on all platforms, except iOS.
The program is currently in its incipient stages, and there is no timeline of when Chrome will transition from using the OS root store to its own internal list.

For now, Google maker has published rules for Certificate Authorities (CAs), the companies that issue SSL certificates for websites.
The browser maker is urging CAs to read the rules and apply to be included in its new Chrome Root Program whitelist to ensure a seamless transition for Chrome users when the time comes.
With a market share of 60% to 65%, Chrome is the gateway for most users to the internet, and most CAs will most likely have their affairs in order when the transition moment comes.
Similar to Firefox
This approach of packing the root store inside a browser rather than use the one provided by the underlying OS isn’t new and is what Mozilla has been doing for Firefox since its launch.
Reasons to do so are many, starting with the ability for Chrome’s security team to intervene and ban misbehaving CAs faster, and Google’s desire to provide a consistent experience and common implementation across all platforms.
However, the change was not met with open arms. One place where this move is expected to cause friction is in enterprise environments, where some companies like to keep an eye on what certificates are allowed in the root store of their devices.
“This will generate more work for system administrators,” Bogdan Popovici, an IT administrator at a large software company in Iasi, Romania, told ZDNet. “We now have another root store list to manage, new group policies to set up, and a new changelog to follow. We’re already busy as it is.”
“This is not an improvement! I need another root store to maintain like I need a hole in my head,” said Reddit user Alan Shutko. “It just makes it more difficult for companies that have their own CA to keep everything in sync.” More

That Lazada’s online grocery platform RedMart has suffered a serious data breach this week should come as no surprise, especially since it has made several public missteps after folding the app into its own e-commerce app more than a year ago. The security oversight underscores the importance of putting in place a proper integration strategy when companies merge and one that should continue to be reviewed even after the transition is complete. 
News broke late-Friday that the data of 1.1 million RedMart accounts had been compromised, after an individual claimed to have access to a database containing their personal information including names, mailing addresses, email addresses, phone numbers, encrypted passwords, and partial credit card numbers. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

Lazada, which acquired RedMart in November 2016, sent a note Friday to affected customers informing them of a “RedMart data security incident” that it said was uncovered the day before, on October 29, as part of “regular proactive monitoring” carried out by the company’s cybersecurity team. RedMart customers were automatically logged out of their accounts and prompted to reset their passwords before relogging in. 
In its note, Lazada said the breach led to unauthorised access to a “RedMart-only database” that was hosted on a third-party service provider and had contained “out of date” customer data that was last updated on March 2019. It added that “immediate action” was taken to block the illegal access and that Lazada’s own customer data was not affected by the breach. 
The Southeast Asian e-commerce operator in January 2019 announced plans to integrate the RedMart app into its platform, more than two years after it acquired RedMart. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016. RedMart accounts were formally integrated on March 15, 2019 — the same month the compromised database was last updated.
The move had drawn sharp criticism from former RedMart customers in Singapore, who were promised the “same shopping experience — from browsing to ordering” on the integrated platform, but found this to be far from the truth when March 15 rolled over. 
Once beloved for its streamlined and clean users interface, the integrated RedMart experience was described by customers as cluttered, difficult navigate, and missing several popular features such as the ability to update a scheduled order and access to a favourite items list. 

Today, more than a year after the transition, user experience for RedMart — which currently has its own section on Lazada — remains inconsistent across its mobile and online platforms. While functions on its mobile app are largely functional, the least can be said for its online experience. RedMart customers on the Lazada website will hit a stalled page when they attempt to retrieve their favourite items list, and adding items to their cart will lead to a “network error” or an error page.
Clearly, some things have slipped through the cracks since the merger and a security breach was a matter of “when”, not “if”. 
Questions remain about Lazada’s security hygiene
That the database was outdated is irrelevant; the data it contained isn’t exactly transient in nature. I haven’t changed my mobile number in at least 20 years and how many actually move homes in under two years? 

That it was a “RedMart-only” database also is little consolation. RedMart customers’ login credentials were moved along with the integration and their passwords are used to log into the Lazada platform before they can access the RedMart section. So, why that still means their Lazada data is “not affected” needs further explanation. 
That the database was hosted on a “third-party service provider” is moot. Your customer data, your database, your responsibility. If it was last updated 18 months ago, then the system should have been retired and taken offline, away from the preying hands of hackers.
If it was left online for operational reasons, then policies and procedures should have been put in place to ensure the database remained updated, regularly checked for any potential vulnerabilities, and security patches promptly deployed. 
And there are many questions that still need to be answered. 
Was the breach actually discovered during a “regular proactive monitoring” or was it identified only after the hacker or hackers publicly declared they were in possession of the database and had put up the details for sale? 
Was Lazada’s cybersecurity team aware the second the database was breached, and not only when the hackers announced they had access to the data? When exactly did the breach occur? How long had the hackers been lurking in stealth mode? What else could they have breached?
With 1.1 million accounts compromised, Lazada not only faces a potentially stiff penalty from the relevant Singapore authorities, its reputation has taken a significant hit. Customers have taken to its social media profiles with questions about their data security and to decry the platform’s lack of security, including the absence of basic features such as two-factor authentication. 
These are issues Lazada could very well have avoided if it had put in place, from day one, a proper integration plan. One that could have helped ensure customers knew what to expect, that user experience remained consistent, and features were at the very least functional. 
A proper transition strategy also would identify systems that should be kept operational, and how they should be properly maintained, as well as pave out a timeline for those that were no longer needed and how these should be taken out of commission.
Now in damage control, it remains to be seen how Lazada will move to repair its brand. One thing’s for sure, with the missteps it has made — and continues to make — more “security incidents” may be on the way if Lazada doesn’t clean up its act, and quickly. 
RELATED COVERAGE More

Changing customer expectations simply because they must in the face of economic uncertainty, social movements, and changing geopolitics will have significant impact for information and IT security professionals across the globe. 2021 will be the beginning of a transition toward a new normal and organizations will continue to adapt to new business models.  

The cybersecurity trends Forrester expects to see in 2021: 
For instilling a toxic security culture a CISO from a Global 500 firm will be fired. Toxic security team culture harms employee retention and hinders recruiting. CISOs are responsible for identifying and addressing such issues on their team, but what happens when the problem stems from the CISO? Empowered employees understand that social media can amplify concerns if their company disregards them. Professional networks once privately shared details of toxic leaders and individuals to avoid, but now that conversation will become public — and rightfully so. 2021 will be a year of reckoning for leaders who create, tolerate, or ignore hostile cultures. CISOs must invest in improving empathy and people management skills and cultivate a positive culture for their teams to thrive in. 
Funding for non-US-headquartered cybersecurity companies will increase by 20%. Startup creation is increasingly a source of national pride and investment in Europe and Asia Pacific. Moves by the EU Commission to promote its digital sovereignty and further economic protectionism in Asia will result in increased funding for regional cybersecurity firms. Multinational firms must give up their single-sourcing approach and accept the reality of point solutions based on region. Develop a startup scouting capability to identify promising new regional security technology, build an adaptable procurement and sourcing plan to obtain them, and create standard security guidelines to create consistency across disparate vendors. 
Audit findings and budget pressure will lead to an uptick of risk quantification tech. Struggling firms cut spend on staffing and technology to survive 2020. In 2021, stagnant or declining budgets will require solid justification for spending. Risk quantification solutions that provide insights into the criticality of assets and potential impact of an issue in real time with business context will help security leaders determine what stays, what goes, and where limited increases should go. Examine risk quantification solutions — and their substantial required dependencies — to move beyond the tried-and-true basic business case that was sufficient during the growth years. 
And yes, there will be data breaches and ransomware. For more trends and insights for the year ahead, download Forrester’s complimentary 2021 Predictions eBook here.    
This post was written by Forrester Principal Analyst Heidi Shey, and it originally appeared here. 

Coronavirus More

Next year — 2021 — will be a year of transition. As communities, consumers, and businesses leave the pandemic behind, they will embrace a new normal. 

Three privacy-related trends will underpin this transition: 1) an ever-increasing appetite to collect, process, and share sensitive personal data from consumers and employees; 2) despite the recessionary economy, values-based consumers will increasingly prefer to engage with and entrust their data to ethical businesses; and 3) regulatory and compliance complexity in relation to data privacy will increase further. 
Against this scenario, for 2021, Forrester predicts that: 
Regulatory and legal activity related to employee privacy will increase 100%. Pandemic management, as well as a growing desire to improve workforce analytics and insights, will drive organizations to hungrily collect more and more employee data. We predict that in the next 12 months, regulatory and legal activity will double and overwhelm organizations that fail to take a thoughtful approach to employee data — one that respects and protects employee privacy. Companies must develop a privacy by-design approach to their initiatives that entails the collection, processing, and sharing of their employees’ personal data. 
One in four CMOs will invest more in technology to collect zero-party data. Digital advertising is on the brink of major, systematic changes. Values-based customers increasingly look to share their data with companies that embrace privacy as a value and treat data ethically. On top of it, the death of the third-party cookie forces companies to focus more on collecting data directly from customers and rely less on more risky third-party data. In 2021, CMOs will start to make strategic revisions to their ecosystem, and 25% of them will increase their capabilities to collect zero-party data. CMOs must partner with their security, risk, and privacy peers to select the right technology and craft processes that adequately support their objectives. 
CCPA 2.0 will pass and spur the introduction of federal privacy legislation in the US. In the next 12 months, two important events will shake privacy in the US. The California Privacy Rights Act (CPRA) will pass, and this will force the US government to finally introduce a bipartisan federal privacy bill that has a realistic chance of passage. Organizations need to identify what aspects of CPRA will apply to them and keep their eyes turned toward the national legislation when introduced to determine how to adjust their approach. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here.     
This post was written by Senior Analyst Enza Iannopollo, and it originally appeared here.  More