Information Technology

Vulnerability management is a key component of modern strategies to combat cyberattackers, but which industries perform well in this area?

The general public faces phishing attempts, spam, malvertising, and more in their daily lives. However, in the business realm, successfully targeting major companies — including banks, industrial giants, and medical facilities — can be far more lucrative for cybercriminals.
Stolen bank account data can be used to conduct fraudulent payments; information can be taken for the purposes of cyberespionage, and in the industrial sector, disrupting core operations can impact everything from energy supplies to water availability for customers. 
One of the common avenues for attacks against the enterprise is the exploitation of unpatched vulnerabilities, and so it is crucial for organizations to maintain frequent patch cycles that tackle the most high-risk security issues for their networks promptly. 
However, not every business — and not in every industry — perform patch management equally. According to new research from Kenna Security and the Cyentia Institute, there are significant gaps in how different markets deal with vulnerabilities, including high-risk security flaws. 
“Finance companies have a big target on their backs,” the company says. “Tech companies have the skills to get the job done. Manufacturing firms are insulated from danger with lots of custom and rare applications that few hackers would bother to develop exploits for. And the healthcare industry? Well, the conventional wisdom says that it’s crammed full of tech, but hacks aren’t easy to monetize.”
See also: SigRed: A 17-year-old ‘wormable’ vulnerability for hijacking Microsoft Windows Server
On Tuesday, the cybersecurity firm released a report into vulnerability management conducted by the financial, manufacturing, medical, and technological industries.
Manufacturing: Kenna Security says that industrial companies tend to take “twice as long” to fix bugs in comparison to other sectors, and also have double the number of vulnerabilities per asset — such as printers, IoT devices, and PCs in use.
However, only 5% of bugs are deemed high-risk, and the industry may be further protected as few threat actors have developed exploit kits focused on this area. In total, 44% of manufacturing companies reduce their exposure to bugs that can be weaponized every month, but 39% “end each month with more high-risk vulnerabilities than they started with.” In total, 17% are reported as “breaking even.”
Technology: Given their nature, tech companies tend to have fewer vulnerabilities per asset than other industries, and patch management is generally conducted more quickly. 
According to the research, a typical company will close approximately 25% of newly-disclosed vulnerabilities within 19 days. In comparison, a technology firm will close 25% in seven days; 50% in 17 days; and 75% in 67 days. 

High-risk vulnerabilities, too, are tackled rapidly. In total, tech firms will close roughly 90% of them per month, whilst 80% of organizations will either hold their ground or reduce their security ‘debt’ each month. 
Healthcare: When cyberattacks disrupt healthcare providers, the consequences can be fatal — as we saw in the recent death of a patient at a German hospital. As a result, the medical industry is often subject to attacks including ransomware as threat actors bet they will pay up rather than put lives at risk. 
CNET: Trump administration reportedly looking at Tencent’s investments after scrutinizing TikTok
To deploy such malware, phishing or the weaponization of vulnerabilities are common attack vectors. 
The report says that a typical healthcare organization has roughly 34 bugs per asset and 50% of common bugs take 50 days to patch, causing a “lag” in comparison to other sectors. 

However, many healthcare providers do gain ground when it comes to critical issues, with 67% of overall companies reducing their high-risk exposure every month. In total, 25% fall behind. 
Finance: There will always be cybercriminals that target financial companies as many are motivated by money, and if they can obtain access to corporate networks or customer data, they may be able to earn themselves an illicit fortune. 
TechRepublic: Mozilla’s VPN service works across mobile and desktop platforms
It should not be a surprise, then, that financial companies tend to deal with half of newly-disclosed vulnerabilities within 44 days — in comparison to an average of 34 days across other industries — an achievement when you consider they often have four times the number of vulnerabilities than others when it comes to assets. 

“Financial firms traditionally have a large digital footprint incorporating numerous software and services and that translates to more vulnerabilities,” Kenna Security notes. “More assets inherently means more strife for vulnerability management programs.”
Perhaps more importantly, financial organizations hold their own when it comes to critical bugs. Every month, 85% of the most dangerous vulnerabilities are closed, and 70% either break even or resolve additional security flaws. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Can you get rich from reporting software bugs? For some, hunting down vulnerabilities in websites and apps is a challenge a bit like doing a crossword; for others it’s a major source of income.
Paying hackers to search for flaws in software or services is becoming increasingly common; these ‘bug bounty’ programmes allow hackers to get paid for spotting problems, while organisations benefit from the ability to tighten their security by paying a few thousand dollars per bug.
HackerOne, which runs bug bounty programmes for organisations including the US Department of Defense and Google, has published new data about the number of vulnerabilities found by hackers signed up to its projects — and how much they have been paid. To date, over 181,000 vulnerabilities have been reported, and over $100 million paid out to the hackers who have signed up to its service.
The company said that more than $44.75 million in bounties was awarded to hackers around the world over the past year — an 86 percent year-on-year increase. The vast majority of that is awarded by organisations in the US.
Some bugs can bring in a decent reward: HackerOne said the average bounty paid for critical vulnerabilities increased to $3,650, up eight percent year-over-year, while the average amount paid per vulnerability is $979. Critical vulnerabilities make around 8% of all reports, while high severity reports account for 21%.
HackerOne said that “hacking has remained a consistent and stable source of income,” for some signed-up hackers. Nearly nine out of ten are under 35 and one in five said that hacking is their only source of income.
Bug bounty millionaires
Nine individual hackers have now amassed $1 million in total bounty earnings via HackerOne in less than a decade, showing that bug bounty hunting can pay well for the elite. And over 200 hackers have earned more than $100,000, and 9,000 hackers have earned ‘at least something’. Of the hackers who have found at least one vulnerability, half have earned $1,000 or more.
But even if many aren’t making much money from bug hunting, the skills they are learning could be indirectly good for their careers; four out of five said they will use the skills and experience learned while hacking to help land a job.
The global coronavirus outbreak seems to have led to a surge in malicious attacks on organisations, but it has also prompted an increase in the number of hackers looking to help find and fix security flaws. HackerOne said that new hacker signups increased by 59% in the months following the start of the pandemic, while bug reports increased by 28% — perhaps because many people were forced to stay at home, giving them more time for bug hunting.
But bug hunting for money might be getting harder. As organisations fix more vulnerabilities, average bounty values are increasing, which is a good thing for hunters. However, remaining vulnerabilities also become more difficult to identify, requiring more skill and effort to discover.  More

As bot-driven misinformation campaigns flood our social feeds, aiming to guide voter choice, and fake accounts intend to undermine elections proliferate, users need to feel reassured that the information they see is authentic.

in 2020, the responsibility of electoral integrity is falling on US tech companies nearly as much as on the government. Social media platforms are so prevalent that any misinformation, if left unchecked on social media, could cause a massive swing of sentiment amongst voters.
As the US presidential election draws closer, questions are still asked about whether bots influenced the 2016 election in a significant way. Facebook noticed that in 2016 there were “coordinated online efforts by foreign governments and individuals to interfere in our elections.”
It also recently “took down a network of 13 accounts and 2 pages that were trying to mislead Americans and amplify division.” But what do users across the tech industry think?
San Francisco-based anonymous professional network Blind surveyed 1,332 users to ask the same two questions. It wanted to get a pulse on how tech employees felt whether Facebook was accountable for election misinformation compared to Facebook employees.
It asked “Do you believe it is the responsibility of Facebook to prevent misinformation about the election?” and “Are you surprised by Zuckerberg’s stance given his previous ‘free speech’ stance?”
in October 2019, Zuckerberg spoke at Georgetown University about the importance of protecting free expression and promised to:

“1. Write policy that helps the values of voice and expression triumph around the world; 2. Fend off the urge to define speech we don’t like as dangerous; and 3. build new institutions so companies like Facebook aren’t making so many important decisions about speech on our own.”

TeamBlind
The survey results showed that almost seven in 10 (68%) of surveyed tech professionals believe it is the responsibility of Facebook to prevent misinformation about the election.
This percentage contrasted markedly, with only 47% of Facebook employees believing Facebook should be responsible to prevent misinformation.
One in three (33%) of surveyed tech professionals are surprised by Zuckerberg’s stance given his previous “free speech” stance, contrasted by only 27% of Facebook employees.
Considering Facebook’s adherence to its “free speech” policy, any deviation to its political ad policies is worth looking at.
Last week, Zuckerberg said in a Facebook post that the platform will block new political and issue ads in the week leading up to the election, to prevent last-minute misinformation.
It will also expand its voter suppression policies and will remove posts with claims that people will get COVID-19 if they take part in voting.
These survey results suggest that Facebook’s employees disagree with other tech professionals about their hand in misinformation accountability.
Is it Facebook’s job to sway voters one direction or the other in November? Should people across Facebook be allowed to speak their minds, share their opinions, and come to their own conclusions based on the information they see?
If President Donald Trump is swaying public opinion via social media, then should former Vice President Joe Biden use social media to sway voters in the other direction?
Is it up to Facebook to decide who will win this election — or is it up to the voters getting the information they need across social platforms to make the right choice? More

More Microsoft Ignite

After rebranding Windows Defender as Microsoft Defender in early 2019, Microsoft is renaming and bringing more products under the Defender brand, the company announced today at its yearly Ignite developer conference.
Starting Sept. 22, the Microsoft Defender product line will be expanded and split across two branches as Microsoft 365 Defender for end-user environments and Azure Defender for cloud and hybrid infrastructure, respectively.
The Microsoft 365 Defender line will include:
Microsoft 365 Defender (previously Microsoft Threat Protection)
Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection)
Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection)
Microsoft Defender for Identity (previously Azure Advanced Threat Protection)
Similarly, the Azure Defender line will include:
Azure Defender for Servers (previously Azure Security Center Standard Edition)
Azure Defender for IoT (previously Azure Security Center for IoT)
Azure Defender for SQL (previously Advanced Threat Protection for SQL)
Microsoft’s long-term plan is to unify all its cyber-security offerings under a simpler naming scheme that makes it easier to get a grasp on the company’s full security capabilities.
Although Microsoft is considered to have some of the best security products in the business, due to its deep knowledge of its own products, until now, the company’s different product naming schemes have made it hard for companies, executives, and IT staff to make their way around Microsoft’s product portfolio.
However, Microsoft plans to make things simpler than before.
Going forward, there will be Microsoft Defender and Azure Sentinel.
Microsoft Defender will be Microsoft’s XDR product, while Azure Sentinel will be the company’s SIEM line.
XDR stands for eXtended Detection and Response and is a cyber-security term that refers to products that detect and respond to active threats on endpoints (may them be workstations, servers, email accounts, or IoT devices).
SIEM stands for Security Information and Event Management and is a cyber-security term that refers to web applications that aggregate logs from all a company’s sources (OS, application, antivirus, database, or server logs) in order to analyze large quantities of data from a vantage point and search for anomalies and signs of a security breach.
“Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise,” said Rob Lefferts, M365 Security CVP.
“Some vendors deliver XDR, some deliver SIEM. Microsoft believes that defenders can benefit from using deeply integrated SIEM and XDR for end-to-end visibility and prioritized actionable insights across all your enterprise assets.” More

Law enforcement agencies around the world have arrested 179 people involved in buying and selling illicit goods and services on the dark web as part of a coordinated international take down operation involving agencies in nine countries – and police have warned cyber criminals that “the golden age of the dark web is over”.
The coordinated campaign was led by the German Federal Criminal Police, with support from the Dutch National Police, the UK’s National Crime Agency, US government agencies including the Department of Justice and FBI, Europol and others.
Known as Operation Disruptor, it follows last year’s take down of Wall Street Market, which was at the time the second largest illegal online marketplace on the dark web.
Law enforcement managed to identify users of Wall Street Market which led to the identification of users of other dark web marketplaces including AlphaBay, Dream Nightmare, Empire, White House, DeepSea, Dark Market and others – which has resulted in 179 arrests.
The highest number of arrests were made in the US, with 121, followed by 42 arrests in Germany. Eight arrests have been made in The Netherlands, with four in the UK, three in Austria and one in Sweden.
Those arrested are suspected to involved in selling illegal items and services including drugs and firearms, with large amounts of produce being seized by law enforcement. Over $6.5 million in cash and cryptocurrencies has also been seized following the arrests.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
“The golden age of dark web marketplace is over. Operations such as these highlight the capability of law enforcement to counter encryption and anonymity of dark web market places. Police no longer only takes down such illegal marketplaces – they also chase down the criminals buying and selling illegal goods through such sites,” said European law enforcement agency Europol in a statement. “The dark web is not a fairy tale – vendors and buyers are no longer hidden in the shadow,” it said.
“Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous,” said Edvardas Šileris head of Europol’s European Cybercrime Centre (EC3)
“Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen,” he added.
Authorities from Austria, Cyprus, Germany, the Netherlands, Sweden, Australia, Canada, the UK and the US all took part in the operation leading to the arrests. Investigations are still ongoing, with law enforcement hoping to make further arrests in future.
READ MORE ON CYBER CRIME More

Facebook has used its submission to the Australian Select Committee on Foreign Interference through Social Media to outline the steps it has taken to stop the spread of misinformation, or at least highlight when something might be a bit on the nose.
As the submission [PDF] highlights, pre-pandemic, Facebook was faced with the dilemma of providing people with freedom of speech at the expense of allowing misinformation to spread. This was exemplified when false coronavirus “advice” spread like wildfire.
Must read: Facebook comments manifest into real world as neo-luddites torch 5G towers
“Since the very beginning of the crisis, we have been displaying on Facebook and Instagram prompts to direct users to official sources of information, including from the Australian government and the World Health Organization (WHO),” Facebook wrote.
“These have been seen by every Facebook and Instagram user in Australia multiple times, either in their feeds or when they search for coronavirus-related terms.”
While it previously launched its own Coronavirus Information Centre and points users to the WHO or government health sites, Facebook has also started showing messages about COVID-19 misinformation on the News Feed to people who have liked, reacted, or commented on this type of harmful content.
“These messages will connect people to COVID-19 myths debunked by the WHO, including ones we’ve removed from our platform for leading to imminent physical harm,” the social media giant wrote.
Facebook has also made “significant” donations of free advertising credits on its services to the Australian government and state governments.
It’s also started rolling out a new notification to give people more context about COVID-19 related links when they are about to share them.
On the topic of vaccines, Facebook said it has been taking a range of steps to make anti-vaccination misinformation harder to find and elevate authoritative information about vaccines.
This includes removing groups and pages that spread vaccine misinformation from recommendations or predictions when a user types the words into the search bar; rejecting ads and fundraisers that include anti-vaccination misinformation; and inserting authoritative notices at the top of groups and pages that are discussing anti-vax misinformation, directing people to authoritative sources.
But the social media giant isn’t removing the groups altogether, however.
See also: Facebook pulls video from Trump’s page labelling it as COVID-19 misinformation
Providing more context around messages that are forwarded multiple times, Facebook said it has seen an increase in the amount of forwarding, which can contribute to the spread of misinformation.
In April, Facebook added new labels to indicate when a message on WhatsApp has been forwarded many times already. It also introduced a limit so a highly-forwarded message can only be sent to one chat at a time.
“This resulted in a 70% reduction in the number of highly forwarded messages on WhatsApp,” Facebook said.
This month, it implemented similar messaging forwarding limits in Messenger.
Alongside Google, the pair will also be piloting a “magnifying glass” icon next to highly-forwarded messages on WhatsApp for users to verify the truthfulness of the content.
As the submission was provided in an Australian context, the company touched on the work it undertook with the federal government’s Digital Transformation Agency, Atlassian, and service provider Turn.io to bring the Australian coronavirus WhatsApp chat capability to life.
“Across the globe, chatbots such as the Australian government chatbot and the fact-checking Chabot on WhatsApp have sent hundreds of millions of messages directly to people with official information and advice,” it said.
Facebook also partnered with the Poynter Institute’s International Fact-Checking Network in May to launch a fact-checking chatbot on WhatsApp. Similarly, it joined forces with the WHO in March to launch a WhatsApp chatbot, expanding that as an alert service powered by Messenger.
Within days of the recent artificial intelligence upgrades, the WHO Health Alert service saw over 500,000 messages sent through and data on specific countries was requested more than 430,000 times. To date, the WHO Health Alert has received almost 4 million messages from over 540,000 users worldwide.
RELATED COVERAGE More

Image: Nathan Shively
A company that provides software for sports leagues to manage referees and game officials has disclosed a security incident that impacted around 540,000 of its registered members — consisting of referees, league officials, and school representatives.
ArbiterSports, the official software provider for the NCAA (National Collegiate Athletic Association) and many other leagues, said it fended off a ransomware attack in July this year.
In a data breach notification letter filed with multiple states across the US [1, 2], the company said that despite detecting and blocking the hackers from encrypting its files, the intruders managed to steal a copy of its backups.
This backup contained data from ArbiterGame, ArbiterOne, and ArbiterWorks — three of the web applications used by schools and sports leagues to assign and manage the schedules and training programs of referees and game officials.

Image via ArbiterSports website
ArbiterSports said the backups contained sensitive information about users who registered on these web apps, such as account usernames, passwords, real names, addresses, dates of birth, email addresses, and Social Security numbers.
“The passwords and Social Security numbers were encrypted in the file, but the unauthorized party was able to decrypt the data,” the company said.
ArbiterSports said that after blocking the attempt to encrypt its local data, the hackers reached out and demanded payment in exchange for deleting the files that they obtained.
The company said it paid the ransom demand and “obtained confirmation that the unauthorized party deleted the files.”
However, there is no guarantee that the hackers haven’t made a copy of the data before deleting ArbiterSport’s data. Sources in the incident response (IR) community have told ZDNet about cases where ransomware gangs did not delete the data.
An ArbiterSports spokesperson was not immediately available for additional comments, despite repeated attempts.
The ArbiterSports incident is reminiscent of a similar incident disclosed by Blackbaud, a provider of cloud-based software to universities and non-profits. Blackbaud also avoided having its files encrypted, but eventually had to pay hackers to delete files they stole before being detected.
The Blackbaud incident triggered a wave of second-hand breach notifications from universities, schools, and colleges all over the world, all who had to inform their own customers of the incident. More

A UK national pleaded guilty today to extorting tens of companies across the world as a member of an infamous hacking group known as The Dark Overlord (TDO).
Nathan Francis Wyatt, 39, was sentenced to five years in prison and ordered to pay $1,467,048 in restitution to victims.
According to court documents, Wyatt was part of the TDO hacker group since 2016. The group operated by hacking into large companies, stealing their sensitive data, and then asking for huge ransoms.
If victims didn’t pay, the hackers would sell their data on hacking forums, leak it on the public internet, or tip journalists about the breach in order to generate negative press for the hacked company.
Wyatt’s role in the scheme was to contact victims and demand ransom payments. He was connected to the group after he used phone numbers registered in his name to contact some of the victims.
Wyatt was arrested in 2017 in the UK and extradited to the US in December 2019 to face charges.
Prior to his arrest for TDO-related charges, Wyatt previously investigated for hacking the iCloud account of Pippa Middleton, the sister of the Duchess of Cambridge.
Most of the other members of the TDO group remain at large.
In May 2018, Serbian authorities arrested a 39-year-old man in Belgrade on charges of being one of the TDO members; however, it’s unclear how he was connected to the group as authorities only shared the man’s initials (S.S.) and birth year (1980), which made tracking his case harder.
The TDO group has a long and prodigious hacking history. The group has taken credit or has been linked to tens of hacks, such as:
Hacked three healthcare organizations and sold 651,894 patient records on the Dark Web
Sold over 9.3 million patient records from an unnamed healthcare insurance provider
Hacked and extorted the Cancer Services of East Central Indiana-Little Red Door center
Hacked Netflix and leaked episodes from season 5 of “Orange Is The New Black”
Hacked ABC and leaked episodes from “Steve Harvey’s Funderdome” TV show
Hacked Larson Studios, Inc., a Hollywood audio post-production studio, and stole a large collection of unreleased TV show episodes
Hacked H-E Parts International Morgan
Hacked Line 204, a provider of sound stages for Hollywood studios
Hacked Austin Manual Therapy Associates
Hacked SMART (“Sports Medicine and Rehabilitation Therapy”) Physical Therapy
Hacked Hand Rehabilitation Specialists
Hacked Gorilla Glue
Hacked and released data from multiple companies, such as Pre-Con Products, G.S. Polymers, PcWorks, International Textiles & Apparel, and UniQoptic
Hacked Caribbean Island Properties, a real estate company
Hacked Prime Staff Inc., an HR firm
Hacked Channel Ship Services, a sea shipping company
Hacked Sterling National Financial Group, an insurance firm
Hacked AZ Plastic Surgery Center More