Information Technology

Microsoft has suffered a rare cyber-security lapse earlier this month when the company’s IT staff accidentally left one of Bing’s backend servers exposed online.
The server was discovered by Ata Hakcil, a security researcher at WizCase, who exclusively shared his findings with ZDNet last week.
According to Hakcil’s investigation, the server is believed to have exposed more than 6.5 TB of log files containing 13 billion records originating from the Bing search engine.
The Wizcase researcher was able to verify his findings by locating search queries he performed in the Bing Android app in the server’s logs.

Image: WizCase (supplied)
Hakcil said the server was exposed online from September 10 to September 16, when he notified the Microsoft Security Response Center (MSRC), and the server was secured again with a password.
Reached out for comment last week, Microsoft admitted to the mistake.
“We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed,” a Microsoft spokesperson told ZDNet in an email last week.
“After analysis, we’ve determined that the exposed data was limited and de-identified.”
ZDNet, which was granted access to the server while it was exposed online without a password, can confirm that no personal user information was exposed.
Instead, the server exposed technical details, such as search queries, details about the user’s system (device, OS, browser, etc.), geo-location details (where available), and various tokens, hashes, and coupon codes.

Image: WizCase (supplied)
The leaky server was identified as an Elasticsearch system. Elasticsearch servers are high-grade systems where companies aggregate large quantities of data to easily search and filter through billions of records.
Over the course of the past four years, Elasticsearch servers have often been the source of many accidental data leaks.
The reasons vary and can range from administrators forgetting to set a password; firewalls or VPN systems suddenly going down and exposing a company’s normally-internal servers; or companies copying production data to test systems that aren’t always secured as thoroughly as their primary infrastructure. More

Ransomware attacks are getting more aggressive according to a senior figure at Europe’s law enforcement agency, but there are simple steps which organisations can follow to protect themselves – and their employees – from falling victim to attacks.
“Ransomware is one of the main threats,” Fernando Ruiz head of operations at Europol’s European Cybercrime Centre (EC3) told ZDNet. Europol supports the 27 EU member states in their fight against terrorism, cybercrime and other serious and organised forms of crime.
“Criminals behind ransomware attacks are adapting their attack vectors, they’re more aggressive than in the past – they’re not only encrypting the files, they’re also exfiltrating data and making it available,” he explained. “From a law enforcement perspective we have been monitoring this evolution.”
This year has seen a rise in ransomware attacks where cyber criminals aren’t just encrypting the networks of victims and demanding six-figure bitcoin payment to return the files, but they’re also threatening to publish sensitive corporate information and other stolen data if the victim doesn’t pay the ransom.
However, Europol’s No More Ransom project is attempting to take the fight to cyber criminals by offering free decryption tools for hundreds of different families of ransomware, something which is estimated to have stopped over four million victims from giving into ransom demands.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
The scheme is based on collaboration between Europol and over 150 partners organisations in law enforcement, cybersecurity and academic around the world and the portal is regularly updated with new decryption tools to help victims of ransomware attacks.
“We’re constantly reaching out to partners involved in the project and asking them to keep us updated on the possibility of new tools to mitigate the damage by the newest ransomware families,” Ruiz explained.
But the best way to protect against the potential damage of a ransomware attack is to make sure organisations, businesses and individuals have the necessary cybersecurity measures in place to avoid falling victim to ransomware in the first place.
“Prevention is the key,” said Ruiz. “The main advice is keep backups of your data and keep them offline. Also it’s essential that all the operating systems and anti-virus are properly updated; implement any available patch as soon as possible in order to mitigate any vulnerabilities”. It’s also important that organisations teach employees how to spot a potential cyber attack.
“There are minimum security measures they can adapt, not only at the company but also at home – don’t download software from non-reliable sources, don’t open attachments if you think they’re suspicious,” Ruiz explained.
“A number of these essential security measures can prevent most of the successful ransomware attacks we’ve seen,” he added. The full interview with Ruiz is available on ZDNet’s Security Update video series.
READ MORE ON CYBERSECURITY More

Image: Sebastian Herrmann

Security and phishing awareness programs wear off in time, and employees need to be re-trained after around six months, according to a paper presented at the USENIX SOUPS security conference last month.
The purpose of the paper was to analyze the effectiveness of phishing training in time.
Also: Phishing campaigns, from first to last victim, take 21h on average 
Taking advantage of the fact that organizations in the German public administration sector must go through mandatory phishing awareness training programs, academics from several German universities surveyed 409 of 2,200 employees of the State Office for Geoinformation and State Survey (SOGSS).
Researchers tested the effectiveness of the phishing training over time, with periodic tests at regular intervals, to determine when SOGSS employees would lose their ability to detect phishing emails.
Employees were split into multiple groups and tested four, six, eight, ten, and twelve months, respectively, after receiving an on-site phishing training course.
The research team found that while the survey takers were able to correctly identify phishing emails even after four months following the initial training, this was not the case after six months and beyond, with a new training being recommended.
Video and interactive training works best
Researchers also developed their own “reminders” in order to “replenish the employees’ phishing awareness and knowledge,” which they used to re-train employees after taking their survey, and again six and twelve months later.
“We developed four different ones,” academics said.
“Four reminder measures were distributed to four groups (one per group): (a) text, (b) video measure, (c) interactive examples, and (d) a short text.
“Twelve months after the tutorial, we compared the knowledge retention of the four reminder groups […]. Among the four reminder measures, the video measure and the interactive examples measure performed best, with their impact lasting at least six months after being rolled-out.”
Academics concluded that while training employees in detecting phishing emails might help organizations fend off some attacks, this training needs to be cyclical, with training sessions repeated, optimally every six months and using interactive or video training measures.
Additional details about the research team’s work can be found in a paper named “An investigation of phishing awareness and education over time: When and how to best remind users” [PDF here or here]. More

The threat landscape is under a constant state of evolution, with enterprise players hard-pressed to keep up with a frequent barrage of vulnerability disclosures, security updates, and the occasional zero-day. 

Analysts estimate that by 2021, 3.5 million cybersecurity roles will be unfulfilled, and so not only do existing security professionals need to deal with a seemingly endless fight against cyberattackers, they may also have to do so while short-staffed — not to mention the disruption caused by COVID-19. 
See also: Cloud security: ‘Suspicious superhumans’ behind rise in attacks on online services
There are tools out there to help with the strain. Automatic scanners, artificial intelligence (AI) and machine learning (ML)-based algorithms and software that can manage endpoint security and risk assessments, feeds providing real-time threat data, and more. 
Frameworks also exist, such as MITRE ATT&CK, which provides a free knowledge base compiling tactics and techniques observed in current, real-world attacks.
It is this data repository that Cisco has examined in a new report describing current attack trends against enterprise endpoints and networks. 
On Monday, Cisco published a data set based on MITRE ATT&CK classifications combined with Indicators of Compromise (IoCs) experienced by organizations that receive alerts through the company’s security solutions within specific time frames. 
According to the company, over the first half of 2020, fileless threats were the most common attack vector used against the enterprise. Fileless attacks include process injections, registry tampering, and threats such as Kovter, a fileless Trojan; Poweliks, a code injector that operates on the back of legitimate processes; and Divergent, fileless Node.js malware. 
In second are dual-use tools including Metasploit, PowerShell, CobaltStrike, and Powersploit. Legitimate penetration testing tools such as Metasploit are of benefit to cybersecurity as a whole, but unfortunately, cyberattackers may also abuse these solutions for criminal gain. 
Tools such as Mimikatz, a legitimate authentication and credentials management system, come in third place — as weaponized software turned toward credential stuffing attacks. 
Over the first half of 2020, Cisco says these attack vectors make up roughly 75% of critical severity IoCs observed. 
If you apply these threats to MITRE ATT&CK classifications, this means defense evasion appears in 57% of all IoC alerts, and execution comes in at 41%. 
CNET: Lawsuit accuses Instagram of peeping with iPhone camera
As modern malware will often include obfuscation, movement, and concealment techniques — as well as the ability to launch payloads and tamper with existing processes — this is hardly a surprise, and IoCs may relate to more than one overall classification. 
“For example, an attacker that has established persistence using a dual-use tool may follow up by downloading and executing a credential dumping tool or ransomware on the compromised computer,” Cisco notes. 
When it comes to critical severity alerts, however, the top three categories — defense evasion, execution, and persistence — undergo a reshuffle. 
Execution stole the top spot away from defense evasion in critical severity attacks, with a bump of 14%, bringing total IoC alerts to 55%. Defense evasion dropped by 12% to 45%, whereas persistence, lateral movement, and credential access spiked by 27%, 18%, and 17%, respectively. 

TechRepublic: CISOs top traits revealed in report: Improvement needed
In addition, some classifications dropped off the list entirely or accounted for less than one percent of critical IoC alerts, including initial access, privilege escalation, and discovery — otherwise known as reconnaissance — revealing a shift in focus when it comes to critical attacks in comparison to overall IoCs.  
To protect against high-level threats, Cisco recommends that administrators use group policies or whitelists for file execution, and if dual-use tools are required by an organization, temporary access policies should be implemented. In addition, connections made between endpoints should be frequently monitored. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In 2008, just a year after large-scale, state-sponsored cyberattacks on Estonia, NATO set up its Cooperative Cyber Defence Centre of Excellence in Estonia’s capital, Tallinn, to strengthen its capabilities and improve cooperation and information-sharing among its members and partners.
Among the contractors who helped build a military-class cyber range for NATO’s cyber exercises, were IT-infrastructure and security specialists Jaanus Kink, Margus Ernits, and Taavi Must. A few years later, they decided to found a startup based on the experiences they had gained.

“We saw how useful cyber exercises are for defense teams. Once we realized that this kind of learning experience could help cyber teams around the world, we started to build RangeForce – a platform for hands-on training of cyber defenders and running cyber exercises at scale,” RangeForce CEO Must tells ZDNet.
SEE: Security Awareness and Training policy (TechRepublic Premium)
RangeForce provides cybersecurity training for companies of varying sizes, combining cloud-based, hands-on training modules and cyber-siege challenges and exercises.
The company provides modules across three main areas, aimed at improving security, application, and DevOps teams. In each area, there are different learning paths, and it tracks how the most popular modules are used.
In recent years, RangeForce has moved its headquarters to Washington DC and now employs 75 people worldwide, with 35 of them in Estonia. In July, it announced a $16m series A round led by Energy Impact Partners, with Cisco Investments among the investors.
RangeForce’s primary customers are companies that are big enough to have a security operations center, or SOC.
“SOCs are terribly expensive to operate at an estimated $2.86m annually per enterprise, a third of which is employee cost. Training new analysts is a top priority, which can take up to a year per employee,” explains Must.
He says security is experiencing a bad skills gap, with 51% of companies unable to find the new cybersecurity talent they need.
“If you factor in that analysts typically leave after about two years and it takes, on average, eight months to find a new one, you can see why training and building skills are a top priority.”
Must explains that a typical customer for RangeForce is a large multinational organization, which has hundreds of security professionals.
The professionals can use RangeForce learning paths based on their roles with, for example, the SOC 1 analyst path covering 30 modules in topics like MS PowerShell.
“The company gets to track and see their progress in real time. This can’t happen when an employee is watching a teacher or a video,” says Must.
“They work hard towards goals. They practice them on their own and in sieges with their colleagues, and then they use them to rectify security flaws in real time. They make training part of their day-to-day work.”
Must says a company can then also train employees across disciplines to get more out of people.
“For example, even in a small company, people who deploy applications typically do not handle incidents. With our security vendor modules, they can take a 45-minute training module and learn how to use a new tool that expands their skillsets and makes them more valuable to the company.”
Must believes that in the cybersecurity field, the main problem lies in not being able to attract, train, and retain the talent necessary to protect the enterprise.
“We have plenty of technology but the capability to make them effective at using that technology is nascent,” he says.
“It’s ludicrous to think we can become effective cyber defenders without regularly practicing and testing the ability of a security team to work together under a high-stress environment.”
Must argues that no other companies combine cloud-based training and cyber-siege exercises. RangeForce has spent the past year building a content-development engine that includes coders, security experts, teachers, and writers.
Today the company delivers eight to 10 new training modules per week, ranging from beginner classes to advanced training. He says by the end of 2020, RangeForce will offer over 500 hours of training.
“Companies need content that expands into important security processes that are gaining favor like DevSecOps. They also need content that aligns with the latest security tools on the market like Cisco’s new SecureX integrated detection and response platform, and for the latest vulnerabilities and threats.”
SEE: Money laundering: This startup thinks its tech can prevent another banking scandal
Must reckons the future of security training involves a lot more integration.
“Gamified training lesson technology will be integrated with vendor security solutions from companies like Cisco, Carbon Black, Recorded Future, and others. The concept of training as a layer in the stack is brand new,” he says.
“Customers like it because it helps them get more out of their investments. It’s been said customers typically use around 25% of the capabilities of a security product. That’s one of the reasons why breaches still happen so regularly. It’s not just about more and better training, but making the best use of their tools and integrating their training products.” More

The US Department of Justice (DoJ) has indicted six individuals for allegedly issuing bribes to give Amazon Marketplace merchants competitive advantages. 

On Friday, US prosecutors named Ephraim Rosenberg, Joseph Nilsen, and Kristen Leccese, of New York; Georgia resident Hadis Nuhanovic, Rohit Kadimisetty, from California; and Nishad Kunji, based in Hyderabad, India, as suspects in the alleged fraud. 
According to the indictment, issued by a Grand Jury in the Western District of Washington, the six conspired to pay Amazon employees over $100,000 to secure an “unfair competitive advantage” on Amazon Marketplace. 
See also: CEO of cyber fraud startup NS8 arrested for defrauding investors in $123m scheme
The bribery bill is steep, but in return, the fraud carried a commercial worth and sales revenue of up to $100 million, the DoJ claims. 
Prosecutors allege that since at least 2017, the six acted as consultants to third-party sellers on Amazon, and two of the individuals also operated their own stores. At least 10 Amazon employees and contractors received kickbacks — including Kunji, who apparently began as a seller and then was later roped into the scheme as a consultant — to conduct fraudulent activities behind the scenes.
This included reinstating suspended merchant accounts and product listings, many of which had been removed due to safety complaints ranging from dietary supplements to faulty and flammable electronics.
“The fraudulently reinstated accounts included accounts that Amazon had suspended for manipulating product reviews to deceive consumers, making improper contact with consumers and other violations of Amazon’s seller policies and codes of conduct,” the DoJ added. 
CNET: Lawsuit accuses Instagram of peeping with iPhone camera
In addition, the “corrupt” employees facilitated attacks against competitors by sharing business intelligence, suspending other third-party consultant accounts, sharing confidential data relating to Amazon’s algorithms and procedures, and paving the way for the consultants to flood rival products with fake reviews.  
The six are being charged with wire fraud, conspiracy to commit wire fraud, conspiracy to use a communication facility to commit commercial bribery, and conspiracy to access a protected computer without authorization. 
Conspiracy to commit wire fraud and conducting wire fraud carry up to 20 years behind bars and a fine of $250,000, whereas the following two charges could result in a prison sentence of up to five years and a further $250,000 penalty. 
TechRepublic: CISOs top traits revealed in report: Improvement needed
“As the world moves increasingly to online commerce, we must ensure that the marketplace is not corrupted with unfair advantages obtained by bribes and kickbacks,” said US Attorney Brian Moran. “The ultimate victim from this criminal conduct is the buying public who get inferior or even dangerous goods that should have been removed from the marketplace.”
The FBI, IRS, and the DoJ’s Office of International Affairs are investigating the case. The defendants are due to appear in the US District Court in Seattle on October 15. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Dmitry Moraine
The Australian Federal Police (AFP) on Monday announced the sentencing of a 34-year old man from Sydney for using Commonwealth Scientific and Industrial Research Organisation (CSIRO) equipment to carry out cryptocurrency mining.
The North Shore man was hired as a contractor in January 2018 and had access to the servers and supercomputers he used for mining to perform his employed role in data archiving and software support.
The AFP said the man accessed servers and supercomputers meant for undertaking a range of official scientific research and modified data within those systems, without authorisation, to mine cryptocurrency for his personal gain.
It is estimated the man mined approximately AU$9,400 in cryptocurrency.
The AFP’s Cybercrime Operations unit launched an investigation after CSIRO detected a “serious impairment of its infrastructure” and immediately reported it to the AFP. The feds executed a search warrant at the man’s property in March 2018, seizing a laptop and mobile phone, among other items.
The man was charged in May 2019 with manipulating the computer programs of a federal governmental agency to mine cryptocurrency while being employed as a government IT contractor.
He pleaded guilty on 28 February 2020 to the charge of unauthorised modification of data to cause impairment, and on Friday was sentenced to a 15-month imprisonment term to be served by way of an intensive community order, which includes 300 hours of community service.
“Throughout the investigation it was calculated the minimum monetary impairment of the CSIRO supercomputers equated to at least AU$76,000,” the AFP said in a statement.
“This man’s activities diverted these supercomputer resources away from performing significant scientific research for the nation, including Pulsar Data Array Analysis, medical research, and climate modelling work to measure impacts to the environment from climate change,” AFP commander of Cybercrime Operations Chris Goldsmid added.
“The consequences are clear — this was a misuse of Australian taxpayers’ trust by a Commonwealth employee, motivated by personal gain and greed.”
MORE FROM THE FEDS
AFP used voluntary powers in Australia’s encryption laws three times in 2019-20
Australian Federal Police say carriers are more willing to assist under TOLA Act.
Commissioner touts reach of AFP’s ‘tentacles’ as he rejects calls for end-to-end encryption
Reece Kershaw has said Australians need to be better engaged when the inevitable debate arises with Facebook and other platforms when they move to end-to-end encryption.
‘Booyaaa’: Australian Federal Police use of Clearview AI detailed
One staff member used the application on her personal phone, while another touted the success of the Clearview AI tool for matching a mug shot.
AFP vows to damage tech giant reputations if found obstructing law enforcement
Commissioner Reece Kershaw said ‘all bets are off’ if digital giants are found to be obstructionist. More

In a submission to the Senate Select Committee and its inquiry into Foreign Interference Through Social Media, controversial video-sharing app TikTok has taken the opportunity to address what it has labelled misinformation in regards to itself.
TikTok, owned by China’s ByteDance Ltd, is currently offered in “all major markets” except China, where the company offers a different short-form video app called Douyin, and Hong Kong, following the introduction of its new security law.
It is currently banned in India and was previously on the US’ chopping block when President Donald Trump issued executive orders to ban the app. TikTok received approval to operate in the US, however, when the app’s US footprint was sold to Oracle and Walmart.
Read more: What TikTok’s big deal means for cloud, e-commerce: TikTok Global created with Oracle, Walmart owning 20%
The app was launched in May 2017 and its official launch in Australia occurred in May 2019.
TikTok said the personal data it collects from Australian users is stored on servers located in the United States and Singapore.
“We have strict controls around security and data access. As noted in our transparency reports, TikTok has never shared Australian user data with the Chinese government, nor censored Australian content at its request,” it wrote [PDF].
“We apply HTTPS encryption to user data transmitted to our data centres and we also apply key encryption to the most sensitive personal data elements. User data is only accessible by employees within the scope of their jobs and subject to internal policies and controls.”
The company said any legal requests from the Chinese government relating to Australian TikTok user data would need to go through the Mutual Legal Assistance Treaty (MLAT) process.
“The Chinese government or law enforcement would need to send the evidence disclosure request through the relevant MLAT process.”
If the data was stored in the United States, the US Department of Justice (DoJ) would be the appropriate body to consider the MLAT request.
“If the US DoJ approved the evidence request, the US DoJ would send the request on to us at TikTok. If the request from the US DoJ complied with our processes and legal requirements, we would provide the user data information to the US DoJ, who would in turn pass the data on to the Chinese government or law enforcement,” it said.
“To date, we have not received any MLAT requests in respect of Australian user data, nor have we received requests to censor Australian content from, the Chinese government.”
Prime Minister Scott Morrison in August said that he had a “good look” at TikTok and there was no evidence to suggest the misuse of any person’s data.
“We have had a look, a good look at this, and there is no evidence for us to suggest, having done that, that there is any misuse of any people’s data that has occurred, at least from an Australian perspective, in relation to these applications,” he told the Aspen Security Forum.
“You know, there’s plenty of things that are on TikTok which are embarrassing enough in public. So that’s sort of a social media device.”
Morrison said the same issues are present with other social media companies, such as Facebook.
“Enormous amounts of information is being provided that goes back into systems. Now, it is true that with applications like TikTok, those data, that data, that information can be accessed at a sovereign state level. That is not the case in relation to the applications that are coming out of the United States. But I think people should understand and there’s a sort of a buyer beware process,” the prime minister added.
“There’s nothing at this point that would suggest to us that security interests have been compromised or Australian citizens have been compromised because of what’s happening with those applications.”
TikTok said it understands that with “[its] success comes responsibility and accountability”.
“The entire industry has received scrutiny, and rightly so. Yet, we have received even more scrutiny due to the company’s origins,” it said.
“Whilst we don’t want TikTok to be a political football, we accept this scrutiny and embrace the challenge of giving peace of mind by providing even more transparency and accountability.”
See also: Countering foreign interference and social media misinformation in Australia
In its submission, TikTok outlined the steps it has taken in relation to COVID-19, such as removing content containing medical misinformation and also content that included false information that was “likely to stoke panic and consequently result in real world harm”.
The company added that it understood it has a responsibility to protect users from misleading information, educate on why it is inappropriate to post and spread misinformation, as well as encourage users to think twice about the information provided in any given post.  
TikTok said it has also limited the distribution of conspiratorial content that may allege COVID-19 was intentionally developed by a person, group, or institution for nefarious purposes, and also removed content that suggests a certain race, ethnicity, gender, or any member of a protected group is more susceptible to have and/or spread coronavirus.
“In light of the pandemic and the serious risk it poses to public health, we are erring on the side of caution when reviewing reports related to misinformation that could cause harm to our community or to the larger public. This may lead to the removal of some borderline content,” it wrote.
TikTok said it is also continuing to invest in efforts to actively identify misinformation and to prevent inauthentic behaviour. It boasts a TikTok Transparency and Accountability Centre in Los Angeles, with another being built in Washington DC.
The app’s community guidelines also state that TikTok is not the place to post, share, or promote: Harmful or dangerous content, graphic or shocking content, discrimination or hate speech, nudity or sexual activity, child safety infringement, harassment or cyberbullying, intellectual property infringements, or impersonation, spam, scams, or other misleading content.
“We continue to consult with a wide range of industry experts, academics and civil society organisations to seek guidance on improving our policies,” it said.
“We welcome collaboration with Australian industry players and regulators. This includes working with the Australian Communications and Media Authority (ACMA), towards the development of a draft industry code of conduct on misinformation, which is due for release later this year.”
TikTok is due to appear before the committee on Friday. Labor previously said it wanted to ask TikTok how it approaches Australian privacy laws.
SEE ALSO More