All posts by rocco

Biden Signs Memo to Boost National Cybersecurity

Read Time:1 Minute, 52 Second

Biden Signs Memo to Boost National Cybersecurity

United States President Joe Biden has signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks.

The requirements for federal civilian networks were laid out in Biden’s Executive Order 14028 (EO 14028) issued May 12 2021. The new memo, signed Wednesday, specifies how the provisions of EO 14028 apply to national security systems. 

The NSM establishes timelines and guidance for how cybersecurity requirements, including multi-factor authentication, encryption, cloud technologies and endpoint detection services, will be implemented.

It also requires agencies to identify their national security systems and report cyber incidents that occur on them to the National Security Agency (NSA). 

Commenting on this particular requirement of the NSM, Mark Manglicmot, vice president of security services at Arctic Wolf, said: “To defend something, you need to have an asset inventory to know what your most critical systems and data are. This directive mandates this best practice.”  

The NSM further authorizes the NSA to create Binding Operational Directives that require agencies to take specific actions against known or suspected cyber-threats and vulnerabilities. In addition, it requires the NSA and the Department of Homeland Security to share BODs and “learn from each other to determine if any of the requirements from one agency’s directive should be adopted by the other.” 

Under the new memo, agencies are required to secure tools known as cross-domain solutions that transfer data between classified and unclassified systems. 

In a statement released Wednesday, the White House said: Modernizing our cybersecurity defenses and protecting all federal networks is a priority for the Biden Administration, and this National Security Memorandum raises the bar for the cybersecurity of our most sensitive systems.”

James McQuiggan, security awareness advocate at KnowBe4, noted that the memo omitted any requirements around cybersecurity education or creating a security culture among users. 

He said: “When users can spot social engineering attacks, have the necessary training to work in Network or Security Operations Centers and understand the importance of developing secure code, it can strengthen the resiliency of the organization or government systems and significantly reduce the risk of a cyber-attack.”

Read More

11:11 Systems Acquires iland

Read Time:1 Minute, 49 Second

11:11 Systems Acquires iland

Managed infrastructure solutions company, 11:11 Systems, has acquired Texas-based cloud services provider, iland

The completion of the acquisition was announced on Thursday. The terms of the deal were not disclosed. 

Headquartered in Houston with regional offices in London and Sydney, iland delivers cloud services including Disaster-Recovery-as-a-Service (DRaaS), Infrastructure-as-a-Service (IaaS) and Backup-as-a-Service (BaaS) from its cloud regions throughout North America, Europe, Australia and Asia.

11:11 Systems said it intends to leverage iland’s award-winning Secure Cloud Console, which natively combines deep layered security, predictive analytics and compliance to deliver visibility and easy management for iland’s cloud services.

The deal follows 11:11 Systems’ recent acquisition of Green Cloud Defense, a channel-only, cloud Infrastructure-as-a-Service (IaaS) provider. 

“By adding iland’s steady 25% YOY momentum to 11:11 Systems’ expanding national network of MSPs, VARs and IT consultants, a hyper-growth pathway has been created,” said 11:11 Systems in a statement.

Brett Diamond, CEO of 11:11 Systems, said his company’s recent acquisitions were motivated by making cybersecurity more straightforward for its customers. 

“CIOs and IT leaders are being pushed to address increasing numbers of security threats, application vulnerabilities and network weaknesses that can leave organizations exposed to data breaches; at the same time, they are tasked with laying the right foundation within their infrastructure to embrace hybrid cloud, navigate sophisticated application requirements, artificial intelligence and more while data and devices continue to multiply exponentially,” said Diamond.

He added: “11:11 Systems is focused on significantly simplifying our customers’ approach to cloud, security and connectivity to drive greater security, innovation, and responsiveness and adding iland and Green Cloud as core ingredient platforms substantively advances this mission.”

For iland, the deal brings an opportunity for expansion and innovation, according to the company’s CTO, Justin Giardina. 

“Joining 11:11 Systems, which now includes Green Cloud, will open up the doors of innovation even wider with new opportunities to expand services across the iland platform, which will further enhance our customers’ ability to manage and monitor their hybrid environments,” said Giardina.

Read More

Third Firmware Bootkit Discovered

Read Time:1 Minute, 51 Second

Third Firmware Bootkit Discovered

Cybersecurity researchers at Kaspersky have discovered a third known case of a firmware bootkit in the wild.

The kit, which made its first appearance in the wild in the spring of 2021, has been named MoonBounce. Researchers are confident that the campaign is the work of well-known Chinese-speaking advanced persistent threat (APT) actor APT41.

MoonBounce demonstrates a more complicated attack flow and greater technical sophistication than previously discovered bootkits LoJax and MosaicRegressor.

The malicious implant was found hiding inside the CORE_DXE component of the Unified Extensible Firmware Interface (UEFI) firmware. UEFI firmware is critical because its code is responsible for booting up a device and passing control to the software that loads the operating system (OS). 

Once MoonBounce’s components have made their way into the operating system, they reach out to a command & control server to retrieve further malicious payloads, which Kaspersky researchers could not retrieve.

The code to boot the device is stored in a non-volatile component external to the hard drive called the Serial Peripheral Interface (SPI) flash. 

Researchers said that Bootkits of this kind are extremely hard to detect because the code they target is located outside of the device’s hard drive in an area that most security solutions do not scan as standard. 

Firmware bootkits are also difficult to delete. They can’t be removed simply by reformatting a hard drive or reinstalling an OS because the code is launched before the operating system.

“The infection chain itself does not leave any traces on the hard drive, since its components operate in memory only, thus facilitating a fileless attack with a small footprint,” noted researchers. 

While investigating MoonBounce, researchers appeared to detect a link between the bootkit and Microcin malware used by the SixLittleMonkeys threat actor.

“While we can’t definitely connect the additional malware implants found during our research to MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one another to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” said Denis Legezo, senior security researcher with GReAT (Kaspersky’s Global Research and Analysis Team).

Read More

Jail for prolific romance fraudster who fleeced besotted lonely hearts

Read Time:19 Second

To his victims he was “Tony Eden”, a middle-aged white man looking for love online, while working overseas for a drilling company.

But in reality he was a school caretaker called Osagie Aigbonohan, originally from Lagos, Nigeria, and part of a criminal gang with links to the notorious Black Axe group.

Read more in my article on the Tripwire State of Security blog.

Read More

San Francisco Police Illegally Spying on Protesters

Read Time:2 Minute, 20 Second

Last summer, the San Francisco police illegally used surveillance cameras at the George Floyd protests. The EFF is suing the police:

This surveillance invaded the privacy of protesters, targeted people of color, and chills and deters participation and organizing for future protests. The SFPD also violated San Francisco’s new Surveillance Technology Ordinance. It prohibits city agencies like the SFPD from acquiring, borrowing, or using surveillance technology, without prior approval from the city’s Board of Supervisors, following an open process that includes public participation. Here, the SFPD went through no such process before spying on protesters with this network of surveillance cameras.

It’s feels like a pretty easy case. There’s a law, and the SF police didn’t follow it.

Tech billionaire Chris Larsen is on the side of the police. He thinks that the surveillance is a good thing, and wrote an op-ed defending it.

I wouldn’t be writing about this at all except that Chris is a board member of EPIC, and used his EPIC affiliation in the op-ed to bolster his own credentials. (Bizarrely, he linked to an EPIC page that directly contradicts his position.) In his op-ed, he mischaracterized the EFF’s actions and the facts of the lawsuit. It’s a mess.

The plaintiffs in the lawsuit wrote a good rebuttal to Larsen’s piece. And this week, EPIC published what is effectively its own rebuttal:

One of the fundamental principles that underlies EPIC’s work (and the work of many other groups) on surveillance oversight is that individuals should have the power to decide whether surveillance tools are used in their communities and to impose limits on their use. We have fought for years to shed light on the development, procurement, and deployment of such technologies and have worked to ensure that they are subject to independent oversight through hearings, legal challenges, petitions, and other public forums. The CCOPS model, which was developed by ACLU affiliates and other coalition partners in California and implemented through the San Francisco ordinance, is a powerful mechanism to enable public oversight of dangerous surveillance tools. The access, retention, and use policies put in place by the neighborhood business associations operating these networks provide necessary, but not sufficient, protections against abuse. Strict oversight is essential to promote both privacy and community safety, which includes freedom from arbitrary police action and the freedom to assemble.

So far, EPIC has not done anything about Larsen still being on its board. (Others have criticized them for keeping him on.) I don’t know if I have an opinion on this. Larsen has done good work on financial privacy regulations, which is a good thing. But he seems to be funding all these surveillance cameras in San Francisco, which is really bad.

Read More

Smashing Security podcast #258: Tesla remote hijacks and revolting YouTubers

Read Time:20 Second

Carole’s still on jury service, but the show must go on! We take a look at how some Tesla owners are at risk of having their expensive cars remotely hijacked, and why YouTubers are up in arms over NFTs.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Read More

Applications Open for Next NCSC for Startups Cohort

Read Time:2 Minute, 3 Second

Applications Open for Next NCSC for Startups Cohort

Applications have opened for the latest NCSC for Startups program, which is focusing on companies developing products to protect SMEs from ransomware.

The program, designed to help the growth and development of the UK’s most promising cybersecurity startup firms, was launched last June. It is run by the National Cyber Security Centre (NCSC) and Plexal, and is a successor to the successful NCSC Cyber Accelerator program.

The first companies to participate in this new program were announced in August.

For its next cohort, NCSC for Startups is inviting applications from startups creating products designed to protect SMEs from surging ransomware attacks. Specifically, these are companies that:

Can defend SMEs from ransomware by providing accessible, low-cost protection
Encourage firms to implement secure backups to minimize the impact of an attack
Address risks posed by remote desktop protocol (RDP) as more businesses and individuals implement home and remote working

Cyber-criminals have dramatically increased their targeting of SMEs during the pandemic, with many of these businesses having to undertake rapid digital transformation projects. Yet many of these firms do not have the necessary cybersecurity skills or tools to protect themselves.

Successful applicants will receive continuous onboarding for 12 months, working with leading cybersecurity experts to develop, adapt and test their products.

Chris Ensor, deputy director for cyber growth at the NCSC, commented: “Ransomware presents the most serious cyber security threat to the UK, and it is vital that organizations protect themselves.

“Our latest NCSC for Startups challenge provides a great opportunity for innovative companies to collaborate with us in the fight against ransomware and strengthen the UK’s defenses.”

Saj Huq, director of innovation at Plexal, said: “Ransomware doesn’t just affect large, established companies: there is a growing risk to SMEs that make up the backbone of our economy, and anyone who lives and works online are potential victims.  

“This is a unique and game-changing opportunity for startups to work on the biggest cyber-threat around alongside experts from the NCSC and industry who are working day in, day out, to keep the UK safe – and I hope they respond to this call with a sense of urgency and mission.”

Interested companies can submit their applications at: https://www.ncsc.gov.uk/section/ncsc-for-startups/join-the-ncsc-for-start-ups.

The NCSC for Startups program forms part of the UK’s National Cyber Strategy, unveiled in December.

Read More

Twitter Mentions More Effective Than CVSS at Reducing Exploitability

Read Time:1 Minute, 38 Second

Twitter Mentions More Effective Than CVSS at Reducing Exploitability

Monitoring Twitter mentions of vulnerabilities may be twice as effective as CVSS scores at helping organizations prioritize which bugs to patch first, according to new research.

Kenna Security’s latest reportPrioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability, was compiled with help from the Cyentia Institute.

It confirmed what many security experts have been saying for some time: the sheer volume of CVEs discovered today means organizations must get better at prioritizing which vulnerabilities to fix.

Although an average of 55 bugs were discovered every day in 2021, the good news is that only 4% posed a high risk to organizations, according to the research. It went further, claiming that 62% of the vulnerabilities studied had a less than a 1% chance of exploitation, while only 5% exceeded a 10% probability.

To arrive at its findings, Kenna Security used an industry-devised Exploit Prediction Scoring System (EPSS), which uses CVE information and real-world exploit data to predict “whether and when” vulnerabilities will be exploited in the wild.

Not all vulnerability management strategies are created equal, argued Kenna Security co-founder and CTO, Ed Bellis.

“Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS scores in minimizing exploitability. Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about two times better),” he wrote.

“We also learned that, given the choice, it’s far more effective to improve vulnerability prioritization than increase remediation capacity … but doing both can achieve a 29-times reduction in exploitability.”

Bellis concluded that prioritizing bugs via exploitability rather than technical CVSS scores is “the strategy of the future” and one that US government security experts appear to be taking.

“The data shows that taking this more measured approach of prioritizing exploitability over CVSS scores is the way to go and the recent Cybersecurity and Infrastructure Security Agency (CISA) directive agrees,” he argued.

Read More

NFTs – Protecting the investment

Read Time:3 Minute, 1 Second

This blog was written by an independent guest blogger.

Non-fungible tokens (NFTs) are the new player in the financial investment market. They’ve seen tremendous interest from a wide range of parties, whether that be institutional investors or retail hobbyists looking to find an angle. As with anything involving money, malicious actors are already starting to take hold; Insider magazine recently highlighted the 265 Ethereum (roughly $1.1 million) theft due to a fraudulent NFT scheme.

Just as cybersecurity has needed frequent and substantial improvements to shore up the security scene, so have NFTs, and those who purchase them. Funnily enough, the key to protecting NFTs is first understanding their financial liability and the laws governing them.

Governmental regulations

Cryptocurrency has been subjected to a rapidly changing balance of laws for the government to try and control it through regulation. NFTs are much the same; while they have entered the market as a form of ultra-modern art exchange, they are still financial instruments. As a result, buyers and sellers have been hit with unexpected fines and seizures by the government due to a poor understanding of the rules. Indeed, Vice recently reported that the US tax authorities had placed sanctions on 57 cryptocurrency addresses and one popular exchange due to their connections with money laundering.

Protecting yourself in this regard comes down to two, fairly basic, steps. Firstly, understand that NFTs are not a currency or simply a piece of art. They remain assets according to the IRS rules, which means they are subject to the capital gains tax. All NFT exchanges must satisfy this rule. Secondly, make sure to use reputable exchanges. Do thorough research on your exchange, make sure they are fully regulated, and protect your own wallet.

Protecting your wallet

NFTs are cryptocurrencies, and so their security is the same as the security of the crypto wallet. Cryptocurrency wallet theft is no small issue. Figures analyzed by Forbes highlight the sheer scale of wallet hacks, with one recent attack gaining notoriety after it extracted $600 million in Ethereum.

A well-protected cryptocurrency wallet has three main features. Firstly, its owner practices good digital hygiene – keep your credentials secure and use multi-factor authentication. Secondly, it has backups – physical data, such as an external hard drive, is a good idea. Lastly, smart cryptocurrency defense relies on using good quality cybersecurity tools on any device where you are dealing with your cryptocurrency sales, with a firewall and antivirus as a minimum.

Staying ahead

Updates are a crucial factor in any effective anti-malware system. As The Verge highlights, white hat operators have recently helped to patch huge vulnerabilities that enabled the illegal seizure of NFTs through the gifting of NFTs through scam schemes. Proper protection of this ilk requires user awareness and the dedication of programmers. It’s essential to proactively patch vulnerabilities before they can become an issue that will result in wide-scale thefts of NFTs or the overall degradation of market assurance.

On a personal basis, once again, researching the market and looking to keep an eye on emerging threats and trends will help to bridge this gap. Sometimes even having one eye on the trend can create the small amount of awareness needed to avoid a scam.

NFT protection is, then, similar to protecting any other digital financial asset. The fact that NFTs are presented as art is something that is misleading when it comes to effectively creating protections for them against hackers. Treat NFTs like their source technology, cryptocurrency. This can help ensure that they retain their protections and are secure against malicious actors.

Read More

Eleven Arrested in Bust of Prolific Nigerian BEC Gang

Read Time:1 Minute, 52 Second

Eleven Arrested in Bust of Prolific Nigerian BEC Gang

Nigerian police have arrested 11 more suspected members of a prolific business email compromise (BEC) gang that may have targeted hundreds of thousands of organizations.

Interpol coordinated Operation Falcon II with the Nigerian Police Force (NPF) over 10 days in December 2021, having sought input from other police forces across the globe investigating BEC attacks via its I-24/7 communications network.

Those arrested are thought to be part of the Silver Terrier (aka TMT) group. One individual had the domain credentials of 800,000 potential victims on his laptop, while another was monitoring online conversations between 16 companies and their clients and diverting funds to TMT, Interpol claimed.

A third is suspected of BEC attacks across West Africa, including Nigeria, Gambia and Ghana.

Any intelligence and evidence gleaned from the operation will be fed into Interpol’s Global Financial Crime Taskforce (IGFCTF) to help prevent further fraud.

“Operation Falcon II sends a clear message that cybercrime will have serious repercussions for those involved in business email compromise fraud, particularly as we continue our onslaught against the threat actors, identifying and analyzing every cyber trace they leave,” said Interpol director of cybercrime, Craig Jones.

“Interpol is closing ranks on gangs like SilverTerrier. As investigations continue to unfold, we are building a very clear picture of how such groups function and corrupt for financial gain. Thanks to Operation Falcon II we know where and whom to target next.”

The first iteration of this anti-BEC campaign was run in 2020 and resulted in the arrest of three TMT suspects. The gang was thought to have compromised as many as 500,000 victim organizations by that time, according to Group-IB, which was involved in both operations.

“Group-IB’s APAC Cyber Investigations Team has contributed to the current operation by sharing information on the threat actors, having identified the attackers’ infrastructure, collected their digital traces and assembled data on their identities,” it explained in a statement.

“Group-IB has also expanded the investigation’s evidence base by reverse-engineering the samples of malware used by the cyber-criminals and conducting the digital forensics analysis of the files contained on the devices seized from the suspects.”

Read More