GCHQ boss says intelligence is being declassified on an unprecedented scale

Read More

Most EMEA organizations don’t have a strategy for dealing with them

Read More

The Russian invasion of Ukraine has demonstrated the law of unintended consequences in a most unexpected way.  By publicly backing the invasion, the heretofore most prolific ransomware group in the world inspired a backlash that appears to have temporarily crippled the group’s ability to operate and given unprecedented insight into the world of ransomware operators.

Conti ransomware 101

Advances in cryptography have spawned new types of applications and business models.  Unfortunately, one of them is ransomware.   Combined with cloud computing, you get an especially virulent variety, ransomware-as-a-service (RaaS).  Among the practitioners of this dark art, the most successful in 2021 was Conti, a Russia-based group.

To read this article in full, please click here

Read More

International IT and software development firm Globant has confirmed that an increasingly-notorious cybercrime gang breached its network and stole intellectual property and passwords.

Read more in my article on the Hot for Security blog.

Read More

Atento case highlights the costs that can stem from serious breaches

Read More

Throw open the windows and let in some fresh air. It’s time for spring cleaning.

And that goes for your digital stuff too.

Whether it’s indeed spring where you are or not, you can give your devices, apps, and online accounts a good decluttering. Now’s the time. Cleaning them up can protect your privacy and your identity, because when there’s less lying about, there’s less for hackers to scoop up and exploit.

The reality is that we accumulate plenty of digital clutter that needs cleaning up from time to time. Think about it:

Bunches of one-off accounts at online stores we won’t frequent again.
Membership in messages board or forums you no longer drop in on.
Plenty of outdated apps and programs that are still sitting on your devices.
Aging files that are no longer relevant, like spreadsheets and records from years ago.
And photos—oh, photos! We have plenty of those, right?

Seven steps for digital spring cleaning

Together, these things take up space on your devices and, in some cases, can open you up to security hazards. Let’s take a look at how you can clean up in a few steps.

1. Review your accounts and delete the ones you don’t use. Look through your bookmarks, your password manager, or the other places where you store your passwords and usernames. Review the sites and services associated with them critically. If you haven’t used an account in some time, log in one last time, remove all personal info, and deactivate it.

Doing so can keep your email address, usernames, and passwords out of unnecessary circulation. Major breaches like this one happen with unfortunate regularity, and the sad thing is that you may not even be aware that a site you’ve used has been hit. Meanwhile, your name, password, and info associated with that account (such as your credit card) are in the hands of hackers. Limit your exposure. Close those old accounts.

2. Get organized, and safer too, with a password manager. While creating strong, unique passwords for each of our accounts is a must nowadays, it can be quite the feat, given all of the accounts in our lives. Here’s where a password manager comes in. It can create those strong, unique passwords for you. Not only that, but it also stores your passwords on secure servers, away from hackers and thieves.

Along those lines, never store your passwords on your computer or device, like a text document or spreadsheet. Should your device ever get compromised, lost, or stolen, having passwords stored on them are like handing over the keys to your digital life.

3. Clean your PC to improve your performance (and your security). Let’s face it, so many of us are so busy with the day-to-day that cleaning up our computers and laptops is way down the list. However, doing so once a month can keep our devices running stronger for longer and even give you that “new computer feeling,” particularly if you haven’t cleaned it up for some time. Check out or guide for improving PC performance. It’ll walk you through some straightforward steps that can make a marked difference.

Moreover, part of this process should entail bolstering your operating system and apps with the latest updates. Such updates can not only improve speed and functionality, but they also often include security upgrades as well that can make you safer in the long run. If your operating system and apps feature automatic updates, enable them, and they’ll do the work for you.

4. Organize and store your photos. Photos. Now there’s a topic all unto itself. Here’s the thing: Estimates show that worldwide we took somewhere around 1.2 trillion photos in 2018. And you certainly have your share.

However, your photos may be just sitting there, taking up storage space on your computer or phone, instead of becoming something special like an album, greeting cards, a wall hanging, or popping them into a digital picture frame for your kitchen or living room. And this is where a little spring cleaning can be a bit of fun. For tips on cleaning up your photos, backing them up, and making something special with them, check out my earlier blog.

5. Delete old apps and the data associated with them. Let’s say you have a couple of apps on your phone for tracking your walks, runs, and exercise. You’ve since stopped using one altogether. Go ahead and delete the old one. But before you do, go in and delete your account associated with the app to ensure that any data stored off your phone, along with your password and user id are deleted as well.

For your computers and laptops, follow the same procedure, recognizing that they also may have account data stored elsewhere other than on your device.

In short, many apps today store information that’s stored and maintained by the app provider. Make sure you close your accounts so that data and information is taken out of circulation as well.

6. Shred your old files and encrypt the important files you’re holding on to. This bit of advice calls for using comprehensive security software on your devices. In addition to protecting you from viruses, malware, and other cyberattacks on your privacy and identity, it can help you protect your sensitive information as well. Such security software can offer:

File encryption, which renders your most sensitive files into digital gibberish without the encryption key to translate them back.
A digital file shredder that permanently deletes old files from your computer (simply dropping them into the desktop trashcan doesn’t do that—those files can be easily recovered).
Identity theft protection, which monitors the dark web for your personal info that might have been leaked online and immediately alerts you if you might be at risk of fraud.

7. Throwing away old computers and tech—dispose of properly. When it comes time to say goodbye to an old friend, whether that’s a computer, laptop, phone, or tablet, do so in a way that’s friendly to the environment and your security.

Consider this … what’s on that old hard drive of yours? That old computer may contain loads of precious personal and financial info on it. Same thing goes for your tablets and phones. The Federal Trade Commission (FTC) offers some straightforward advice in their article about protecting your data before you get rid of your computer. You don’t want those old tax returns ending up in the trash unprotected.

When it comes time for disposal, you have a few options:

Look into the e-waste disposal options in your community. There are services that will dispose of and recycle old technology while doing it in a secure manner.
Some mobile carriers have turn-in programs that will not only dispose of your tech properly, but they’ll give you a financial incentive too—such as money towards a new device.
Lastly, consider the option of reusing the device. There are opportunities to pass it along to a family member or even donating it as well. Your old tech may be a game-changer for someone else. Again, just be sure to protect that old data!

As with any spring cleaning, you’ll be glad you did it

Enjoying the benefits of your work—that’s what spring cleaning is all about, right? With this little list, you can end up with a digital life that’s safer and faster than before.

The post Digital Spring Cleaning: Seven Steps for Faster, Safer Devices appeared first on McAfee Blog.

Read More

On Tuesday, KrebsOnSecurity warned that hackers increasingly are using compromised government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies. Today, one of the U.S. Senate’s most tech-savvy lawmakers said he was troubled by the report and is now asking technology companies and federal agencies for information about the frequency of such schemes.

At issue are forged “emergency data requests,” (EDRs) sent through hacked police or government agency email accounts. Tech companies usually require a search warrant or subpoena before providing customer or user data, but any police jurisdiction can use an EDR to request immediate access to data without a warrant, provided the law enforcement entity attests that the request is related to an urgent matter of life and death.

As Tuesday’s story showed, hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. After all, there are roughly 18,000 distinct police organizations in the United States alone, and many thousands of government and police agencies worldwide.

Criminal hackers exploiting that ambiguity are enjoying remarkable success rates gaining access to the data they’re after, and some are now selling EDRs as a service to other crooks online.

This week’s piece included confirmation from social media platform Discord about a fraudulent EDR they recently processed. On Wednesday, Bloomberg published a story confirming that both Apple and Meta/Facebook have recently complied with fake EDRs.

Today, KrebsOnSecurity heard from Sen. Ron Wyden (D-Ore.), who said he was moved to action after reading this week’s coverage.

“Recent news reports have revealed an enormous threat to Americans’ safety and national security,” Wyden said in a statement provided to KrebsOnSecurity. “I’m particularly troubled by the prospect that forged emergency orders may be coming from compromised foreign law enforcement agencies, and then used to target vulnerable individuals.”

“I’m requesting information from tech companies and multiple federal agencies to learn more about how emergency data requests are being abused by hackers,” Wyden’s statement continues. “No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed. Fraudulent government requests are a significant concern, which is why I’ve already authored legislation to stamp out forged warrants and subpoenas.”

Tuesday’s story showed how fraudulently obtained EDRs were a tool used by members of LAPSUS$, the data extortion group that recently hacked Microsoft, NVIDIA, Okta and Samsung. And it tracked the activities of a teenage hacker from the United Kingdom who was reportedly arrested multiple times for sending fake EDRs.

That was in March 2021, but there are similar fake EDR services on offer today. One example can be found on Telegram, wherein a member who favors the handle “Bug” has for the past month been selling access to various police and government email accounts.

All of the access Bug is currently offering was allegedly stolen from non-U.S. police and government email accounts, including a police department in India; a government ministry of the United Arab Emirates; the Brazilian Secretariat of Education; and Saudi Arabia’s Ministry of Education.

On Mar. 30, Bug posted a sales thread to the cybercrime forum Breached[.]co saying he could be hired to perform fake EDRs on targets at will, provided the account was recently active.

“I am doing LE Emergency Data Requests for snapchat, twitter, ig [Instagram] and many others,” Bug wrote. “Information we can get: emails, IPs, phone numbers, photos. Account must be active in the last week else we get rejected as shown below. Have gotten information only on Snapchat, Twitter and IG so far.”

KrebsOnSecurity sought comment from Instagram, Snapchat, and Twitter. This post will be updated in the event they respond.

The current scourge of fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for privileged subscriber data. In July 2021, Sen. Wyden and others introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.

“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.

The Digital Authenticity for Court Orders Act would require federal, state and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures and removal of online content.

Read More

New research from XM Cyber analyzing the methods, attack paths, and impacts of cyberattacks has discovered that attackers can compromise 94% of critical assets within just four steps of initial breach points. The hybrid cloud security company’s Attack Path Management Impact Report incorporates insights from nearly two million endpoints, files, folders, and cloud resources throughout 2021, highlighting key findings on attack trends and techniques impacting critical assets across on-prem, multi-cloud, and hybrid environments.

Critical assets vulnerable to attack, credentials an Achilles heal

The findings showed that 75% of an organization’s critical assets are open to compromise in their current security state, while 73% of the top attack techniques used last year involved mismanaged or stolen credentials. Just over a quarter (27%) of most common attack techniques exploited a vulnerability or misconfiguration.

To read this article in full, please click here

Read More

The FBI is calling on members of the public to help it uncover members of an increasingly-notorious cybercrime gang.

Read More

A remote code execution vulnerability in Spring Framework has sparked fears that it could have a widespread impact across enterprise environments. Spring is one of the most popular open-source frameworks for developing Java applications.

The flaw, which has since been dubbed SpringShell or Spring4Shell, came to light when a Chinese developer released a proof-of-concept (PoC) exploit on GitHub and then removed it, prompting widespread speculation about the unpatched flaw, its causes and potential impact. There was also some early confusion between this vulnerability and a different one patched Tuesday in Spring Cloud, a microservices library that’s different from the core Spring Framework. That vulnerability is tracked as CVE-2022-22963.

To read this article in full, please click here

Read More