Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa Milburn,
Hisham Shafi, Nir Shlomovich, Tavis Ormandy, Daniel Moghimi, Josh Eads, Salman
Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela, Doug Kwan, and Kostik
Shtoyk discovered that some Intel(R) Processors did not properly handle certain
sequences of processor instructions. A local attacker could possibly use this to
cause a core hang (resulting in a denial of service), gain access to sensitive
information or possibly escalate their privileges.
Yearly Archives: 2023
DSA-5557-1 webkit2gtk – security update
The following vulnerabilities have been discovered in the WebKitGTK
web engine:
CVE-2023-41983
Junsung Lee discovered that processing web content may lead to a
denial-of-service.
CVE-2023-42852
An anonymous researcher discovered that processing web content may
lead to arbitrary code execution.
Alleged Extortioner of Psychotherapy Patients Faces Trial
Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.
In November 2022, Kivimäki was charged with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.
Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom. When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.
Security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. By that time, Kivimäki was no longer in Finland, but the Finnish government nevertheless charged Kivimäki in absentia with the Vastaamo hack. The 2,200-page evidence document against Kivimäki suggests he enjoyed a lavish lifestyle while on the lam, frequenting luxury resorts and renting fabulously expensive cars and living quarters.
But in February 2023, Kivimäki was arrested in France after authorities there responded to a domestic disturbance call and found the defendant sleeping off a hangover on the couch of a woman he’d met the night before. The French police grew suspicious when the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.
Finnish prosecutors showed that Kivimäki’s credit card had been used to pay for the virtual server that hosted the stolen Vastaamo patient notes. What’s more, the home folder included in the Vastaamo patient data archive also allowed investigators to peer into other cybercrime projects of the accused, including domains that Ransom Man had access to as well as a lengthy history of commands he’d executed on the rented virtual server.
Some of those domains allegedly administered by Kivimäki were set up to smear the reputations of different companies and individuals. One of those was a website that claimed to have been authored by a person who headed up IT infrastructure for a major bank in Norway which discussed the idea of legalizing child sexual abuse.
Another domain hosted a fake blog that besmirched the reputation of a Tulsa, Okla. man whose name was attached to blog posts about supporting the “white pride” movement and calling for a pardon of the Oklahoma City bomber Timothy McVeigh.
Kivimäki appears to have sought to sully the name of this reporter as well. The 2,200-page document shows that Kivimäki owned and operated the domain krebsonsecurity[.]org, which hosted various hacking tools that Kivimäki allegedly used, including programs for mass-scanning the Internet for systems vulnerable to known security flaws, as well as scripts for cracking database server usernames and passwords, and downloading databases.
Mikko Hyppönen, chief research officer at WithSecure (formerly F-Secure), said the Finnish authorities have done “amazing work,” and that “it’s rare to have this much evidence for a cybercrime case.”
Petteri Järvinen is a respected IT expert and author who has been following the trial, and he said the prosecution’s case so far has been strong.
“The National Bureau of Investigation has done a good job and Mr Kivimäki for his part some elementary mistakes,” Järvinen wrote on LinkedIn. “This sends an important message: online crime does not pay. Traces are left in the digital world too, even if it is very tedious for the police to collect them from servers all around the world.”
Antti Kurittu is an information security specialist and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP). Kurittu said it remains to be seen if the prosecution can make their case, and if the defense has any answers to all of the evidence presented.
“Based on the public pretrial investigation report, it looks like the case has a lot of details that seem very improbable to be coincidental,” Kurittu told KrebsOnSecurity. “For example, a full copy of the Vastaamo patient database was found on a server that belonged to Scanifi, a company with no reasonable business that Kivimäki was affiliated with. The leaked home folder contents were also connected to Kivimäki and were found on servers that were under his control.”
The Finnish daily yle.fi reports that Kivimäki’s lawyers sought to have their client released from confinement for the remainder of his trial, noting that the defendant has already been detained for eight months.
The court denied that request, saying the defendant was still a flight risk. Kivimäki’s trial is expected to continue until February 2024, in part to accommodate testimony from a large number of victims. Prosecutors are seeking a seven-year sentence for Kivimäki.
CIS Hardened Images Now in Microsoft Azure Marketplace
Microsoft Azure is a major cloud provider of virtual machine images – and one of four where the Center for Internet Security offers CIS Hardened Images.
FTC’s Voice Cloning Challenge
The Federal Trade Commission is running a competition “to foster breakthrough ideas on preventing, monitoring, and evaluating malicious voice cloning.”
The Benefits of Protection – How Organizations Gain from Digital Wellness
This is the final in a series of three articles covering digital wellness programs in the workplace. Here we explore what organizations have to say about online protection and the role that digital wellness plays in their workplace today.
The top three benefits in the workplace today? Healthcare and retirement benefits are easy picks. Yet weighing in a strong third — digital wellness benefits.
HR pros list digital wellness as a top-three benefit in the workplace, ranking only behind healthcare and retirement benefits.
That’s one of the many findings we revealed in our joint research with HR.com, conducted in the first quarter of 2023. We reached out to nearly 250 HR pros who are knowledgeable about benefits, data privacy, and cybersecurity in organizations of 1,000 employees or more. Across the board, they said digital wellness plays an important role in their organization for several reasons. Collectively, they said it’s effective or highly effective at enhancing security (94%), retaining employees (87%), and improving employee safety and wellbeing (86%).
Moreover, 96% of them say that digital wellness in the workplace is more important than ever.
With that, we also gained a sense as to deeply rooted remote and hybrid work have become. We found that 71% of organizations have at least a quarter of their workforce working remotely at least some of the time. Given that 1 in 2 employees worldwide use at least one personal device for work, it makes sense that HR pros have prioritized digital wellness in their organizations.
Yet what does a digital wellness benefit entail?
Building out a strong digital wellness benefit.
As shared in our earlier article, we found little consistency between digital wellness offerings. The most common initiative HR pros employ is offering antivirus software, yet even that was reported by only 60% of organizations. The list breaks down as follows from there:
One item on this list particularly stands out. Note how educating employees about phishing scams ranks so low, at 48%. Compare that to the 61% of HR pros who said that human error, such as falling victim to a phishing attack, led to a cybersecurity breach. From there, more than half said that breach led to a financial loss.
So, which of the above provides the underpinnings of a strong digital wellness benefit? The answer to that is “yes to all.” And more.
When it comes to digital wellness, it’s easy to think of things like antivirus, a VPN, and other technology-driven solutions. Certainly, it’s that. Yet it’s much more. A strong digital wellness offering protects more than devices and things. It protects people. Because people are human, and human error can lead to security issues.
Organizations have IT teams tasked with securing networks, data, and devices. They put protections and policies in place to protect technology. To some extent, they factor in the human element as well. Yet to fully factor in the human element, that calls for HR to partner with IT. Together they can build out a digital wellness benefit that complements the protections IT puts in place.
Building out a strong digital wellness benefit.
Organizations can often roll out digital wellness initiatives at relatively low cost, yet they require support to get them started. That begins by making the case for digital wellness benefits with leadership.
Throughout this series of articles, we uncovered how the post-pandemic world has transformed the way employees use the internet, the importance they place on digital wellness, and the reasons they welcome it as a benefit. We also pointed out that digital wellness finds itself as a top-three benefit in the wake of this new internet usage. Together, these articles can help you make the overarching case to leadership — illustrating that digital wellness is vital not only for organizational security, but for attracting and retaining talent as well.
From there, working alongside IT can help you make the specific case for your organization, as part of a three-step approach:
1. Partner with IT.
IT leadership and teams in IT will have insight into the ways employees can improve their security habits. Moreover, they’ll have a sense of which employee security issues are the most pressing. By forming these insights into a list, HR can prioritize initiatives. Then it can use its expertise in incentives, training, and communication to create a culture that minimizes security lapses.
IT can assist HR in other ways, such as with auditing. HR teams can gain insight into the number of personal devices used in the organization. With that, we can advocate for initiatives that can protect them while they use those devices, such as offering online protection software.
2. Offer comprehensive online protection software.
Antivirus, personal data cleanup, and a VPN — HR pros mentioned those initiatives and several others on the list we shared above. Comprehensive online protection like ours covers all those initiatives and then some. All in one proverbial box. With deeper features like identity monitoring, transaction monitoring, and cleaning up old online accounts, it can form the cornerstone of a digital wellness benefit. And at relatively low cost per person.
Moreover, comprehensive online protection can help address human error. McAfee Scam Protection uses artificial intelligence (AI) to combat those phishing attacks. It automatically detects scam texts and can block risky links in emails, social media, and more—which often lead to sites that steal sensitive and financial info.
In all, today’s online protection offers far, far more than antivirus. It protects the employee by protecting their devices, privacy, and personal info.
3. Consider making digital wellness part of your core or voluntary benefits.
Organizations that offer digital wellness as part of their benefits tend to be more confident in the security of personal devices. Among the HR pros who said they offer digital wellness as a core benefit, 78% felt that personal devices are very secure, compared to 64% of those with voluntary benefits, and 59% of those with no digital wellness benefits.
At the root of that feeling is knowledge. Knowledge that employees are empirically safer from hacks, attacks, and identity theft because they have comprehensive online protection like ours. And should they become a victim of identity theft, they have a licensed identity restoration expert who can help them resolve it — and reimburse funds stolen per their protection plan. That puts employees in a better place. Which helps put the organization in a better place as well.
Digital wellness is a part of wellness overall.
Digital wellness can reduce the stress that comes from loss or the unknown, which enables richer, safer, and happier lives. That puts digital wellness in close company with already established mental and financial wellness benefits, making it part of an attractive benefits package overall. Particularly as people spend nearly seven hours online each day on average — conducting sensitive personal and professional matters there at historic highs.
Digital wellness is crucial for organizations as well. As our research uncovered, many breaches occur because of human error, which often leads to disruptions and financial losses.
The case for digital wellness has only become stronger in recent years, and many organizations have taken their first steps to develop it as a benefit. As our research indicates, the organizations that do benefit as well.
For more, see our previous articles in the series.
The Benefits of Protection – The Case for Digital Wellness in the Workplace
The Benefits of Protection – Why Employees Place a High Value on Digital Wellness
Want to learn more? Visit us at https://www.mcafee.com/en-us/resources/digital-wellness.html or reach out to EmployeeBenefits@mcafee.com.
The post The Benefits of Protection – How Organizations Gain from Digital Wellness appeared first on McAfee Blog.
CSA Launches First Zero Trust Certification
The CCZT program incorporates foundational principles from leading sources such as CISA and NIST
Cyber-Criminals Exploit Gaza Crisis With Fake Charity
Attackers sought crypto donations of $100-$5000 using Bitcoin, Litecoin and Ethereum addresses
kubernetes-1.25.16-1.fc37
FEDORA-2023-6ad09ef90b
Packages in this update:
kubernetes-1.25.16-1.fc37
Update description:
Resolves CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes.
Upstream change log at: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v12515
Russian Hacking Group Sandworm Linked to Unprecedented Attack on Danish Critical Infrastructure
A report described the coordinated attack, in which 22 critical infrastructure firms were targeted