STE WILLIAMS

Google sent ~40K warnings to targets of state-backed attackers in 2019

In 2019, Google sent nearly 40,000 warnings to accounts that were targeted by state-sponsored phishing or malware attacks, it reported on Thursday.

That’s a nearly 25% drop from 2018: an improvement for which it claims at least some credit. Toni Gidwani, Google’s Threat Analysis Group (TAG) security engineering manager, said:

One reason for this decline is that our new protections are working – attackers’ efforts have been slowed down and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt.

Distribution of the targets of government-backed phishing in 2019. IMAGE: Google

Threat actors pretend to be journalists, news outlets

TAG has seen a rising number of attackers impersonating news outlets and journalists, including those from Iran and North Korea. For example, they’ll impersonate a journalist to spread fake news among other reporters.

Google’s also seen cases wherein attackers first try to chummy up with targets by sending several benign emails to build rapport. Then, they’ll send a malicious attachment in a follow-up email. Google says that government-backed attackers “regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks.”

This has been going on for a while. We saw an example in 2017, when a fake hot babe with a patently fake LinkedIn profile (a 28-year-old MIT grad with 10 years of experience? Oh, puh-leez!) managed to dupe IT guys at a US government agency that specializes in offensive cybersecurity.

The (mostly) not surprising, heavily targeted sectors

Google published this chart showing where one state-backed threat actor – the Russian group Sandworm – has focused its hacking over the past three years. Like other government-backed attackers, they’ve heavily targeted geopolitical rivals, government officials, journalists, dissidents and activists:

Heavily targeted sectors that are (mostly) not surprising. IMAGE: Google

If at first they don’t succeed, they’ll try, try again

These adversaries are nothing if not persistent. Google says that last year, one in five accounts that it warned about phishing or malware attacks was targeted multiple times. No luck penetrating your defenses? That’s OK, they’ll go after somebody you know, Gidwani says, or try to tempt you some other way:

If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target.

It’s not hard to find examples: for one, we saw a WhatsApp zero-day that allowed hackers to silently install government spyware onto victims’ phones and was exploited in the wild.

That zero-day was used to target Amnesty International. Subsequently, in May 2019, the human rights group sued the makers of Pegasus, alleging that its spyware was used to surveil Amnesty staff and other human rights defenders, thereby putting human rights at risk.

Google claims that its Advanced Protection Program (APP) — a free service for Google accounts that’s currently on limited release — safeguards personal Google Accounts from targeted attacks, going beyond two-factor authentication (2FA) by adding another security step. You will need…

  • An Android 7.0+ device, which has a built-in security key;
  • An iPhone with the free Google Smart Lock app (which you can get here); or
  • Two security keys in order to enroll, the cost of which varies by model. Here’s Google’s guide to picking and purchasing a security key that will work with your device. Any key that supports the FIDO open standard will work.

As of Friday, there was a waiting list to join the service. In the meantime, Google suggests turning on 2FA and running its security checkup.

We say hear, hear! to the 2FA advice.

Learn more about 2FA

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rcIjuHYrwHM/

Should governments track your location to fight COVID-19?

Anyone viewing their Google Maps Timeline for the first time gets one of two feelings: Dread at the thought of how much information the company collects about their every move, or elation as they realise they can go back and see what they were doing not just on any given day, but during any given minute.

Governments struggling to control the spread of COVID-19 have been quick to catch on to these possibilities. This data could help them track other patients that a newly diagnosed sufferer had been in contact with. In aggregate, it could help identify high-risk areas where people are gathering. It could also have other, more invasive uses.

This weekend, the Wall Street Journal reported that US government officials are using location data from millions of cellphones to understand citizens’ movements and how they’re affecting the spread of the disease. That data, which sources have said is stripped of personally identifying information, shows how community hubs like shops and parks are still drawing crowds. The data can also show how well the population at large is following requests to stay indoors. A lot of this data comes from advertising companies that gather it as a matter of course, the paper said.

Other countries are taking a soft approach to using location data for the public good. Singapore’s voluntary TraceTogether app uses Bluetooth for proximity tracking. When two users’ phones come near each other, they send each other a message containing a timestamp, their Bluetooth signal strength, their phone’s model, and a temporary identifier. The phones store that information. Should a user test positive for the virus, they can upload their data to the Ministry of Health, which will decode it and use it to identify others that they may have infected.

In Israel, the Health Ministry has reportedly released an app that uses voluntary data to shield citizens from exposure while protecting their privacy. It notifies people when they have come into contact with infected citizens, but it keeps all this data on the users’ devices. The government makes this work by sending anonymous data on infected citizens’ movements to users’ phones.

Ireland’s government revealed plans for a voluntary tracking app that seems to work on the same basis as Singapore’s software. Expect to see that within ten days, said officials at the country’s Health Service Executive over the weekend.

While many such efforts are voluntary, some countries have sourced the data without users’ explicit consent. For example, Israel’s voluntary initiative only happened after the government there passed regulations allowing the Israeli police to track the cellphones of COVID-19-positive individuals using its anti-terrorism Shin Bet cellphone location tracking system.

The UK is said to have joined Germany, Austria, Spain, Belgium, and others in Europe to source anonymised location data directly from telcos. Following China, Europe was the hardest hit by the spread of the virus in early March. Governments are using the data to determine how much people are moving around and congregating, according to reports.

Is this legal? The European Data Protection Board (EDPB), established under GDPR, has issued a statement about the processing of data during the health crisis. It says:

Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.

Adding that these conditions apply when processing is necessary for reasons of substantial public interest in the area of public health:

Under those circumstances, there is no need to rely on consent of individuals.

That doesn’t mean it can play fast and free with personal data though. Authorities must rely on data protection techniques, it adds. GDPR includes anonymization among those techniques, although as researchers and activists have demonstrated in the past, you can still reconstruct peoples’ identities from anonymous data sets.

Other countries make people an offer they can’t refuse. Poland has launched a phone app for people under mandatory 14-day quarantines after returning from travel abroad. They must take photographs of themselves several times each day to prove they’re not outside, spokespeople said. If they fail to install the app, the police may show up at their door for a random check. The app reportedly uses both location tracking and facial recognition tech.

This all raises an important question: How much should civil rights, especially privacy, be eroded when dealing with a threat as pernicious as COVID-19? In an open letter, a group of technology and medical professionals led by EFF distinguished technology fellow Dr Peter Eckersley stops short of recommending direct governmental data-gathering but calls for help from mobile operating system vendors. Singling out Apple and Google, it says that they should build it directly into the mobile operating system on an opt-in basis:

Users who opt in could be notified in a non-identifiable way if they had been in the same spaces as subsequently identified cases, in order to enable self-quarantine, monitoring, early detection and prevention of tertiary cases. If such a feature could be built before SARS-CoV-2 is ubiquitous, it could prevent many people from being exposed.

What do you think about the use of location tracking data to help combat the spread of COVID-19, and to monitor self-isolation practices during the outbreak? Should this be mandatory? If it saves just one life, isn’t it worthwhile?


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ribWRYG5Cyc/

Chrome may bring back ‘www’ with option to show full URLs

Enough people must have griped about the loss of “www” and “https” in Chrome’s address bar to make Google rethink it: Chromium developers are testing a new Omnibox context menu that would give users the option to “Always Show Full URLs.”

You can see what the final rendition of the “Show Full URLs” menu might look like here.

Google’s doing this a bit grudgingly: it still thinks that showing what it’s called the “trivial subdomain” will distract users making security assessments.

The feature is currently available only in the experimental Chrome 83 Canary build. After users select the option in Chrome’s address bar – what Google likes to call the “Omnibox” – it will stay there permanently, always showing full web addresses, replete with their “https” and “www”.

On 17 March, Chromium developers outlined the plan for users to opt-out of URL snippage in a post on the bug tracker titled “Implement Omnibox context menu option to always show full URLs”.

The post’s author, Chromium software engineer Livvie Lin, had this to say in a design document:

The Omnibox context menu should provide an option that will prevent URL elisions for the entire Chrome profile.

We’re not sure that this won’t do more harm than good, Lin said:

Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage.

…but the risk is mitigated by the fact that Google expects that users who opt-in to the setting are “power users who understand URLs (and in such cases, potentially improve security),” Lin said.

Lin said that this will be for desktop only. It will apply across all desktop sessions (including Incognito sessions) on all devices, as it applies to Chrome profiles.

Google removed the “www” from Chrome 70 in 2018. The new setting doesn’t reverse that decision, in spite of it having been a controversial move that some said would actually make it easier for crooks to fool us with fake websites.

The feature is still experimental in Chrome 83. It can be enabled in that version by typing in chrome://flags/ and setting Context menu show full URLs.

It will be a quick way to permanently stop Chrome from making what it refers to as elisions in the Omnibox – if, in fact, the feature makes its way to the final Chrome 83 release.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AtdJ3T2JKzc/

Apple’s iOS 13.4 hit by VPN bypass vulnerability

It’s less than a week since Apple’s iOS 13.4 appeared and already researchers have discovered a bug that puts at risk the privacy of Virtual Private Network (VPN) connections.

Publicised by ProtonVPN, the issue is a bypass flaw caused by iOS not closing existing connections as it establishes a VPN tunnel, affecting iOS 13.3.1 as well as the latest version.

The company said it was disclosing the issue despite there being no patch because it believed it was better that providers and users knew about it now. Remote working and VPN use has increased as more workers self-isolate to avoid COVID-19.

Luckily, ProtonVPN has also discovered a workaround which involves turning airplane (or flight) mode on and off to reset all connections (see below for full instructions).

VPN privacy

A VPN app should open a private connection to a dedicated server through which all internet traffic from the device is routed before being forwarded to the website or service someone is accessing.

This means the ISPs and public Wi-Fi routers can’t snoop on the user’s traffic while websites and services can’t see the real IP address of the user.

This is more comprehensive than HTTPS, which only secures connections to individual websites or installed apps, one at a time. HTTPS also doesn’t hide other revealing traffic such as that to Domain Name Servers (DNS), which ISPs monitor to see which web domains someone is visiting.

The bypass bug

A ProtonVPN researcher fired up a monitoring tool called Wireshark and noticed that even when the VPN was turned on it was still possible to see that traffic was passing between the device and third-party IP addresses.

That means that iOS wasn’t closing those connections when the VPN started. What it should have been doing was terminating them before reconnecting them once the VPN has been established.

In short, everything that starts after the VPN is loaded will be secure but everything before that moment might not be if it doesn’t reset the connection of its own accord (some being longer-lasting than others).

This wouldn’t expose the information being passed inside those connections, which on iOS will use HTTPS. However:

An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.

The IP address might sound less important than the information passed from, say, an installed app, but it reveals the ISP location and, potentially, the identity of the end-user. It also leaks information on the IPs the device has previously connected to, for example, a website or service.

Workarounds

A patch might not appear for weeks, which leaves users with two workarounds.

The first, suggested by Apple, is to configure the Always-on VPN setting via mobile device management (MDM). That should be possible for some business users.

However, it won’t be an option for home users running a third-party VPN app they downloaded from the App Store, which leads us to the second option:

  1. Connect to the app’s VPN server.
  2. Turn on airplane mode. This will kill all internet connections and temporarily disconnect the VPN.
  3. Turn off airplane mode. The VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel (this is not guaranteed to work 100% of the time).

Of course, users still have to remember to do this each time they connect, possibly several times a day. It’s far from ideal.

At least Apple knows about the issue. ProtonVPN said:

We have been in contact with Apple, which has acknowledged the VPN bypass vulnerability and is looking into options to mitigate it. Until an update is available from Apple, we recommend the above workarounds.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cLtgUW9Q0Ug/

How to stay on top of coronavirus scams – and all the others too

It’s not like cybercriminals to take advantage of a world event… and this is a rather large world event.

Since COVID-19 hit the headlines, we’ve covered a selection of coronavirus-related scams, phishing attacks and malware campaigns in which crooks have adapted existing sextortion emails, mobile malware and password stealing tricks to exploit people’s fear and uncertainty.

And measurements from SophosLabs show that the ones we’ve published as specific examples are just a few of many cyberscams that refer to corona or covid-19.

To help you stay on top of it all, SophosLabs plus our data science and threat response teams have created a “living article” where you can quickly access regularly updated information about the expanding “cybercorona” threat, including:

  • An industry discussion channel of the latest threat intelligence.
  • A Github repository of indicators of compromise (IoCs).
  • Updated statistics on the volume of pandemic-related cybercriminality.

What to do?

Remember that not every cybercriminal is jumping on the coronavirus scamming wagon – in fact, we’re willing to bet that there are crooks focusing on crimes such as stealing PayPal accounts and hitting you with fake technical support calls who are rubbing their hands in glee right now.

Their glee comes from the prospect of people getting so distracted by the much more visible and widely-reported pandemic scams that they no longer have enough time to be vigilant against all the other scams that have been joined by the new-look attacks.

(The old-school scammers and the “new tricks” crooks are often the same people, of course, burning the cybercriminal candle at both ends, as it were.)

So the bad news is that you have to watch out for a plethora of new coronavirus cyberscams, as well as all the old stuff, too.

That’s where our “living report” article comes in handy, so you don’t have to spend ages hunting down the latest coronaclasms yourself!

Four quick tips:

  1. Don’t login to company websites via emails or texts. If a company wants or needs you to login to your account, you should already know how to access your account from the company’s own site or app. Even if it takes a few more clicks, it’s time well saved because you will automatically miss out on “logins” that could compromise your security.
  2. Don’t make payments via links in emails or texts. This is point 1 in a different guise. If you need to pay a company online, reach the payment page by following your own research, or using a link from a document you already have such as a contract or a recent bill. Don’t get begged, cajoled or frightened into taking exactly the “short cut” the crooks want.
  3. Don’t turn off security features because a document tells you to. Avoid opening unexpected or unsolicited email attachments if you can (and if you do, don’t click links in those documents – see 1 and 2). If a document asks you to [Enable content] when you open it, or make some other security downgrade, don’t do it – it’s a trick.
  4. Don’t trust apps because the app creator tells you to. App reviews, positive app comments and high download counts are cheap to buy if you have no scruples. Reputation must be earned – it can’t be bought or self-declared. If in doubt, ask someone you know and trust for advice.

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/z-qSR_BW2IY/

You know all those stories of leaky cloud buckets taken offline? Well, some may still be there, just badly hidden

Roundup It’s once again time for the El Reg security roundup.

Takedown doesn’t quite take down everything

Last week, The Register covered the story of how VPNmentor found and ultimately got a public-facing Amazon-hosted S3 bucket containing financial records of thousands of small businesses removed from view.

In that story, it was reported the misconfigured bucket in question was removed in January after AWS was notified. Shortly after our story was published, an infoec bod, who asked to remain anonymous, told El Reg they could access the files in the leaky bucket weeks after it was supposedly taken down.

After a few days of back and forth, it was concluded that for those weeks between when the takedown was said to have have happened and when everything had actually gone offline, only the public-facing index, listing its contents and URLs to the data, had been removed from public view. This meant the files in the bucket could still have been accessed by anyone who had previously enumerated them.

What it boils down to, is that a takedown request to AWS doesn’t mean Amazon steps in and pulls the whole database from public view. Rather, the cloud giant reaches out directly to the contact it has with the customer and lets them know their storage silo was misconfigured. Usually this ends with the database owner reconfiguring their bucket so that it’s truly hidden from public view, but sometimes, as in this case, the owner opts to disable just the public directory index. That means URLs scraped from the index still work.

Fortunately, it seems these cases are pretty rare. Multiple vulnerability hunters The Register spoke to on this matter all said that the overwhelming majority of companies respond promptly and positively when they catch word of an exposed database or storage bucket because taking down the whole shebang from public view.

However, some outfits will just remove the bucket’s public index, thinking that will hide or obscure the contents, which is not a safe thing to do. Consider this an FYI for in future when organizations say they’ve taken down a leaky cloud silo.

Yes, is friendly vulture of Register, The. Pleased to have your login now

A report from Google claims phishing attacks from government-backed spies are increasingly disguised as messages from journalists. When state-backed hackers try to infiltrate the networks of activist groups, companies, or government agencies, one of the favored lures is posing as a reporter with an inquiry.

“For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation,” Google writes. “In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email.”

Later in the report, Google revealed it had found one instance where a state-sponsored group packed a whopping five exploits, all of them zero-days, into a single campaign.

“The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns,” Google said.

“The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.”

iOS video tool VLC can leak user data

A report from Cognosec security researcher Dhiraj Mishra explains how a vulnerability in the popular VLC video software can be used to lift videos from an iOS device.

The since-patched bug was attributed to an insecure direct object reference.

Hackers try to “frame” white-hat

Threat-hunter Bob Diachenko reports on this rather amusing effort by some criminal hackers to try and get Night Lion Security bod Vinny Troia in hot water.

As you might have guessed, the attempt was unsuccessful.

Deer.io market shuttered

A few weeks after nabbing Deer.io’s alleged founder, the FBI says it has finally closed down the cybercrime market once and for all.

This comes after Kirill Victorovich Firsov was arrested in New York and charged with running a site that racked up an estimated $17m in fraudulent activity. Firsov is due to appear in court on April 6, though the coronavirus health emergency is likely to delay the trial for some time.

GE blames partner company for data leak

General Electric has sent out notifications to employees that some of their personal data was leaked.

In the letter [PDF], also shared with the California Attorney General, GE says that it in fact was Canon who accidentally sent out records containing worker information.

“We were notified on February 28, 2020 that Canon had determined that, between approximately February 3 – 14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems.”

Employees who were affected will get two year’s free credit monitoring, courtesy of Canon.

Kaspersky offers free AV tools to hospitals

Despite being in a global pandemic, hackers are not taking it easy on the networks of hospitals, and with so many facilities flooded with patients due to the ongoing pandemic, a malware infection has the potential to be catastrophic.

Enter Kaspersky who says that healthcare institutions will now be able to get six free months of AV protection to help keep their networks safe as they ride out the coronavirus outbreak.

Unit42 launched COVID-19 cybersecurity primer

The team at Palo Alto Networks’ Unit42 research operation has set up this ongoing report dedicated to listing and tracking threats associated with the coronavirus outbreak.

There is no shortage of material. Malware writers, phishing operators, and scam sites have all exploded around the outbreak.

“The purpose of this report is not to contribute to the fear and anxiety many of us are already experiencing, but to help you be informed about what is happening and how to protect yourself and your organization,” says Unit42.

“We will update this blog as new information comes to light.”

OpenWRT deals with man-in-the-middle update meddling

The OpenWRT project has patched a man-in-the-middle vulnerability in its software.

Dutch security esearcher Guido Vranken said a miscreant who was able to intercept connections between a vulnerable router or other OpenWRT device and an upstream firmware server could then send the device poisoned software updates, thanks to an error that prevents OpenWRT from properly verifying the checksum of update files.

While an attack isn’t particularly likely, owners of OpenWRT gear should still update to versions 18.06.7 or 19.07.1, where the bug is patched.

Bad USB spotted in the wild

This month we got a rare look at an (unsuccessful) badUSB attack in the wild.

Trustwave reports that the poisoned USB stick, disguised as part of a Best Buy gift card giveaway, was not plugged in by the organization that received it, but instead handed off to the security company, who found it was indeed an Arduino microcontroller that tried to harvest and siphon off data.

Naked man crashes school lesson in Norway

Parents in Norway were mortified this week when students reported that a naked man had crashed their video lesson.

The man, apparently, guessed a weak password students were using for remote classes on the Whereby app and, unfortunately, was able to join the video stream.

Cyber-insurer Chubb warns of ransomware

Chubb, a lock company that has a side business in “cyber-insurance,” has become the latest victim of the Maze ransomware.

The ransomware operators have threatened to release the infected data should the payout not be delivered. Chubb, meanwhile, says it is investigating the matter. ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/30/security_roundup_280320/

Poured your info out on a call to 118 118 Money? Bad luck. Credit provider ‘fesses up that hacker nabbed customer service phone recordings

The digital burglary at 118 118 Money exposed recordings of customer service calls that included a raft of personal information although thankfully not payment data.

As revealed last week, the parent company of the personal loans and credit card provider – the sister business of the better-known UK directory enquiries service – pulled its website offline after spotting an unauthorised intruder.

At the weekend, it wrote to customers again to inform them that a person or persons were identified on its network on 20 March and “recordings of customer service calls were accessed by the criminals responsible for the cyber attack”.

“For those customers who have called our customer service line, certain pieces of personal data could potentially be affected,” the letter continued. “This could include your name, address and date of birth or other personal information that was discussed as part of the call with our customer service team.”

Given the data was contained in the form, “it would be extremely time consuming for anyone to attempt systematically to extract or copy your personal information.”

So that’s OK then. Of course, the company is sorry for the incident and takes “the protection of your confidential and personal information extremely seriously”.

118 118 Money said the database itself was not broken into, and “as soon as we became aware of the situation, we took the immediate step of taking our network offline and working with cyber security experts to ensure the security of both our network and data.” ®

The Information Commissioner’s Office was notified of the breach and a report was dispatched to the National Cyber Security Centre for further probing.

The website remains out of service a week after it was pulled offline on 23 March.

“We are making every effort to reintroduce our services and will provide full access to our Mobile App and services as soon as possible,” the letter to customers added.

Despite saying there is a “low risk to your data being used fraudulently”, 118 118 Money offered customers “complimentary access” to Experian’s Identity Plus ID fraud monitoring service for 12 months.

The business warned customers that phishing scammers may contact them via the phone or web, and that any such attempts should be reported to Action Fraud. ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/30/118_118_money_call_recordings/

Securing Your Remote Workforce: A Coronavirus Guide for Businesses

Often the hardest part in creating an effective awareness program is deciding what NOT to teach.

In response to the coronavirus pandemic, organizations worldwide are implementing work-from-home policies. Yet for many businesses, managing an entirely remote workforce is completely new, which means they may lack the processes, policies, and technologies that enable employees to work from home safely and securely. In addition, many employees may be unfamiliar or uncomfortable with the idea of working from home. As a result, organizations are scrambling to quickly roll out security awareness initiatives that enable their workforce to work from home safely and securely.

Scanning the news over the past several days, most articles are focused on the end user (that is, the employee) and helping them deal with this unexpected transition to a work-from-home environment. While an important component, we must not forget about the organization. For many, this is uncharted waters, deploying a workforce at this large of a scale. Enabling organizations to secure their end users is key. Afterall, they are the ones that best understand the culture and risk (of their organization). Therefore, it is the organization that is in the best position to secure their users.

After helping hundreds of organizations do this over the past 10 years, and having authored two courses on human security, here are some key takeaways to consider.

Ultimately, your goal is to make security simple for people. They are overwhelmed right now with a tremendous amount of change, chaos, and anxiety. Whatever we do, simplicity is the key. There are two key elements this. The first is enabling people, we do this by focusing on as few behavior as possible. The more processes, policies, and procedures you throw at people, the more likely they will be overwhelmed and fail. You need to work with your security team to identify the fewest risks that have the greatest impact, and the behaviors that manage those risks. We recommend you start with these three risks:

  • Risk 1: Social engineering
  • Risk 2: Passwords
  • Risk 3: Updating

Often the hardest part in effective awareness programs is deciding what NOT to teach.

On the flip side, we must communicate to and engage your workforce, this is where your communications team comes in. Our goal is to motivate people for change. In many ways, this is similar to marketing — we have to sell people on why this change is important, and then make that change as easy as possible. Use clear, simple, and engaging materials that people can relate to, and in their native language. One of my favorite communication/marketing models to do this is the AIDA (attention, interest, desire, and action) marketing model.

Finally, I recommend creating some type of channel where employees can ask questions and/or report incidents in real time, such as Slack, Zoom, or Skype channels, or online forums. Security teams need to be approachable and helpful in this time, not aloof or highly technical. Ultimately, this is a people problem, which means it’s a people solution. The key to executing any effective program is partnering with others, such as security incident response/security operations center teams, HR, and your communications team.

If you wish to learn more, SANS Security Awareness has created theSecurely Working from HomeDeployment Kit. This free kit provides security awareness professionals with a detailed, step-by-step guide on how to rapidly deploy a training program for their remote staff and all the training materials they need in multiple languages. You can also research this topic online.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?

Lance Spitzner is an internationally recognized leader in the field of cyber threat research and security training and awareness. He sits on the board of the National Cyber Security Alliance and helped develop and implement numerous multi-cultural security awareness programs … View Full Bio

Article source: https://www.darkreading.com/risk/securing-your-remote-workforce-a-coronavirus-guide-for-businesses-/a/d-id/1337398?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

First-ever SANS Women in Cybersecurity survey reveals significant mentorship gaps

Promo As women take more senior positions in the field of cybersecurity, there’s a shortage of women available to mentor others.

That’s according to the results of the SANS Institute’s first survey on Women in Cybersecurity, here, which found while mentoring is a hugely important part of career progression, only seven per cent of those polled had been mentored by another woman. That’s compared to 31 per cent mentored only by men and 37 per cent by both men and women. The final 25 per cent received no mentoring.

“The future of cybersecurity is the responsibility of everyone,” concluded SANS analyst and survey author Heather Mahalik. “We need to reach out and become a mentor.”

SANS also asked respondents, who had attained positions of leadership in cybersecurity, how they’d made it. Thirty-eight percent credited “varied experiences,” and 34 per cent said “pursuing certificates,” were major contributions. However, 41 per cent reckoned simply “being in the right place at the right time” accounted for having attained their leadership roles.

Full results of the SANS Women in Cybersecurity Survey are available as a webcast in association with LogRhythm, ThreatConnect, and Threat Quotient. You can register to watch the webcast right here.

You can also tap here to register for a recording of a companion webcast on March 24, 2020: this panel discussion features Mahalik and selected sponsors digging into the results. A whitepaper Women in Cybersecurity: Spanning the Career Life Cycle also by Mahalik is available for free download right here.

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/30/sans_women_in_cybersecurity/

Yeah, that Zoom app you’re trusting with work chatter? It lives with ‘vampires feeding on the blood of human data’

As the global coronavirus pandemic pushes the popularity of videoconferencing app Zoom to new heights, one web veteran has sounded the alarm over its “creepily chummy” relationship with tracking-based advertisers.

Doc Searls, co-author of the influential internet marketing book The Cluetrain Manifesto last century, today warned [cached] Zoom not only has the right to extract data from its users and their meetings, it can work with Google and other ad networks to turn this personal information into targeted ads that follow them across the web.

This personal info includes, and is not limited to, names, addresses and any other identifying data, job titles and employers, Facebook profiles, and device specifications. Crucially, it also includes “the content contained in cloud recordings, and instant messages, files, whiteboards … shared while using the service.”

Searls said reports outlining how Zoom was collecting and sharing user data with advertisers, marketers, and other companies, prompted him to pore over the software maker’s privacy policy to see how it processes calls, messages, and transcripts.

And he concluded: “Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data.

“What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it. (Unless, of course, they see an ad somewhere that looks like it was informed by a private conversation on Zoom.)”

Speaking of Zoom…

Zoom’s iOS app sent analytics data to Facebook even if you didn’t use Facebook, due to the application’s use of the social network’s Graph API, Vice discovered. The privacy policy stated the software collects profile information when a Facebook account is used to sign into Zoom, though it didn’t say anything about what happens if you don’t use Facebook. Zoom has since corrected its code to not send analytics in these circumstances.

It should go without saying but don’t share your Zoom meeting ID and password in public, such as on social media, as miscreants will spot it, hijack it, and bomb it with garbage. And don’t forget to set a strong password, too. Zoom had to beef up its meeting security after Check Point found a bunch of weaknesses, such as the fact it was easy to guess or brute-force meeting IDs.

The privacy policy, as of March 18, lumps together a lot of different types of personal information, from contact details to meeting contents, and says this info may be used, one way or another, to personalize web ads to suit your interests.

“Zoom does use certain standard advertising tools which require personal data,” the fine-print states. “We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the internet, serving personalized ads on our website, and providing analytics services) … For example, Google may use this data to improve its advertising services for all companies who use their services.”

Searls, a former Harvard Berkman Fellow, said netizens are likely unaware their information could be harvested from their Zoom accounts and video conferences for advertising and tracking across the internet: “A person whose personal data is being shed on Zoom doesn’t know that’s happening because Zoom doesn’t tell them. There’s no red light, like the one you see when a session is being recorded.

“Nobody goes to Zoom for an ‘advertising experience,’ personalized or not. And nobody wants ads aimed at their eyeballs elsewhere on the ‘net by third parties using personal information leaked out through Zoom.”

The Register asked Zoom, which offers free and paid-for conferencing plans, for comment on the critique, and has yet to hear back from the developer.

“Zoom doesn’t need to be in the advertising business, least of all in the part of it that lives like a vampire off the blood of human data,” Searls continued.

“If Zoom needs more money, it should charge more for its services, or give less away for free … What Zoom’s current privacy policy says is worse than ‘You don’t have any privacy here.’ It says, ‘We expose your virtual necks to data vampires who can do what they will with it.’ Please fix it, Zoom. As for Zoom’s competitors, there’s a great weakness to exploit here.”

The Zoom privacy policy, for what it’s worth, states: “We do not allow marketing companies, advertisers, or anyone else to access personal data in exchange for payment … in our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.”

Meanwhile, shares in Zoom are up seven per cent today and 26 per cent over the past month. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/27/doc_searls_zoom_privacy/