WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • US Agencies Request the Most User Data From Big Tech, Apple Complies the Most

    US Agencies Request the Most User Data From Big Tech, Apple Complies the Most

    Americans concerned about their user data falling into the hands of foreign governments may want to look closer to home.

    According to new research by VPN provider SurfShark, the US government makes the most requests for user data from Big Tech companies than any other jurisdiction in the world. The company analyzed data requests to Apple, Google, Meta, and Microsoft by “government agencies of 177 countries between 2013 and 2021.”

    The US came in first with 2,451,077 account requests, more than four times the number of Germany, the number two country on the list. In fact, the US made more requests than all of Europe, including the UK, which collectively came in under 2 million.

    While the US and EU were responsible for a combined total of 60% of all data requests, the US “made 8 times more requests than the global average (87.9/100k).”

    The number of accounts being accessed is also growing, with a five-times increase in requests from 2013 to 2021. The US alone saw a 348% increase during the time frame, and the scope and purpose of the requests are expanding.

    “Besides requesting data from technology companies, authorities are now exploring more ways to monitor and tackle crime through online services. For instance, the EU is considering a regulation that would require internet service providers to detect, report, and remove abuse-related content,” says Gabriele Kaveckyte, Privacy Counsel at Surfshark. “On one hand, introducing such new measures could help solve serious criminal cases, but civil society organizations expressed their concerns of encouraging surveillance techniques which may later be used, for example, to track down political rivals.”

    The report also sheds light on which companies comply the most versus which ones push back against requests. For all of its privacy-oriented marketing — “what happens on your iPhone stays on your iPhone” — Apple complies with data requests more than any other company, handing it over 82% of the time.

    In contrast, Meta complies 72% of the time, and Google does 71% of the time. Microsoft, on the other hand, pushes back the most among Big Tech companies, only handing data over 68% of the time.

    The findings may also put a dent in US efforts to ban TikTok and other foreign apps under the guise of protecting user privacy and data.

  • Samsung Max VPN Collects Your Private Data and Sells It

    Samsung Max VPN Collects Your Private Data and Sells It

    Users relying on Samsung’s Max VPN should look for other options to keep their data private and safe.

    Samsung includes and/or promotes its Max VPN service on its phones. As sharp-eyed Reddit user soboi12345 has pointed out, however, users’ data is not at all private when using Samsung’s VPN. In fact, the company collects unique identifying data and sells it to third parties.

    The company describes its practices in its Max Service Description and Privacy Policy:

    The Max Service app may log how you use your device, including unique identifiers, information about the software you’ve installed, device characteristics, information about your location and mobile carrier, the type of network you use to access web content, how much data you use, and the URLs you visit. We use this data to debug the Max Service app and to improve the user experience. We anonymize and/or aggregate this data and may allow our business partners access to it.

    To be clear, Samsung’s VPN is collecting unique identifiers, location data, the apps users have installed, and the websites they visit — and then selling that data rather than protecting users’ privacy.

    This is an appalling breach of trust for any VPN provider, especially since many VPN users are specifically looking to avoid exactly the kind of data collection Samsung is engaging in.

    Samsung’s behavior is even more egregious when considering that the company called out people’s data being used as a commodity when it launched Max VPN:

    “All over the world, data has become a commodity, but many plans are simply still too expensive for consumers that want to get the most out of the latest technology built into their devices,” said Seounghoon Oh, Vice President Samsung R&D Institute India, at the time. “With Samsung Max, our users in every corner of the globe now have increased autonomy and control over their data usage and privacy in an era of rising security threats, fraudulent apps and user profiling.”

    With such a strong statement, Samsung’s users could be forgiven for thinking the company would actually protect their privacy and not use their data as “a commodity.”

    As we have stated on WPN, and as The New York Times Wirecutter has recommended, Mullvad is the best VPN for users that truly care about their privacy. The company has a zero-logs policy and doesn’t save identifying information. In fact, users are given a random numeric account number for login purposes rather than using an email address or username.

    The company has also had extensive third-party security audits, is transparent about its ownership, has a clear privacy policy, good performance, and is reasonably priced.

  • Rural US Hospitals Are Getting Clobbered by Ransomware

    Rural US Hospitals Are Getting Clobbered by Ransomware

    Rural US hospitals are losing the fight against ransomware due to limited resources compared to bigger organizations.

    According to Cyberscoop, witnesses testified in a recent Senate Homeland Security and Governmental Affairs Committee meeting that smaller hospitals are struggling to combat ransomware attacks. In most cases, while there is plenty of information available to help organizations, the issue stems from a lack of resources, including qualified cybersecurity personnel.

    “We also saw cybercriminals shift their focus to small and rural hospitals with this group lagging behind in strengthening their defenses,” said Kate Pierce, senior virtual information security officer at cybersecurity firm Fortified Health Security. “Our rural hospitals are facing unprecedented budget constraints with up to 30% or more in the red, with the public health emergency scheduled to end in May.”

    Unfortunately, the issue is only going to get worse as bad actors exploit small hospitals’ vulnerability. Some are even stepping up the pressure on smaller hospitals specifically, posting patient information — including nude examination photos — online in an effort to force hospitals to pay up.

    “In recent years, increasingly sophisticated cyberattacks in the healthcare and public health sectors posed alarming threats to people in Michigan, as well as across the country,” said Committee Chairman Gary Peters, D-Mich.

  • PSA: Disable Wi-Fi Calling, VoLTE on Pixel & Samsung Phones IMMEDIATELY

    PSA: Disable Wi-Fi Calling, VoLTE on Pixel & Samsung Phones IMMEDIATELY

    Google has discovered 0-day vulnerabilities in Samsung’s Exynos modems that impact the most recent Pixel and Samsung devices.

    Samsung’s Exynos modem chipsets are used in a variety of devices, including Google’s Pixel 6 and 7 line, as well as a wide range of Samsung’s devices. Unfortunately, Google’s Project Zero has discovered 18 0-day vulnerabilities in the chipset, four which can be executed remotely with no user interaction.

    Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

    While still serious, the remaining 14 vulnerabilities are not as severe, since they require physical access to the device or a malicious network operator.

    Google recommends turning off Wi-Fi calling and VoLTE on all impacted devices, including the list below:

    • Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
    • Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
    • The Pixel 6 and Pixel 7 series of devices from Google;
    • any wearables that use the Exynos W920 chipset; and
    • any vehicles that use the Exynos Auto T5123 chipset.

    Google says patches should be issued to address the vulnerabilities permanently, with the March 2023 update for Pixels already including at least one fix:

    We expect that patch timelines will vary per manufacturer (for example, affected Pixel devices have already received a fix for CVE-2023-24033 in the March 2023 security update). In the meantime, users with affected devices can protect themselves from the baseband remote code execution vulnerabilities mentioned in this post by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities.

    To be clear, this is about as bad as it gets, in terms of mobile vulnerabilities, and users should take the necessary steps to protect themselves.

  • Ransomware Survival 101: Don’t Follow Dish Network’s Playbook

    Ransomware Survival 101: Don’t Follow Dish Network’s Playbook

    Dish Network customers are still in limbo, with few answers weeks after the company was crippled by ransomware.

    Dish began experiencing major issues with its website, internal systems, and customer portal going offline in late February. Roughly a week later, the company admitted to suffering a massive ransomware attack, one that crippled operations and resulted in the theft of customer data.

    According to TechCrunch, Dish customers still have no idea what is going on, with many of them unable to access customer support, pay their bills, or get any kind of useful information.

    In fact, a number of customers have had their service disconnected because they have been unable to log into the customer portal to pay their bills. Others are already experiencing voice and email phishing attempts as hackers try to exploit the lack of information from Dish to take advantage of customers looking for answers.

    Company spokesperson Edward Wietecha told TechCrunch that “customers are having trouble reaching our service desks, accessing their accounts, and making payments.” When asked if the company was disconnecting users, Wietecha added that “customers who had their service temporarily suspended for nonpayment received additional time until our payment systems were restored.”

    In addition to the trouble Dish’s own customers are having, there is potential for the problem to be much worse and extend beyond Dish’s roughly 10 million customers. A former Dish retailer told TechCrunch that the company retains a veritable treasure trove of customer data from anyone who has ever signed up for Dish service, including those who never became customers because they didn’t pass the credit check. The information includes “customer names, dates of birth, email addresses, telephone numbers, Social Security numbers, and credit card information.” What’s more, it appears that Dish’s policy is to retain the information indefinitely.

    Overall, Dish is providing a case study of how not to handle a ransomware attack for any company that wants to come out the other side still having customers.

  • FBI Purchased Americans’ Location Data

    FBI Purchased Americans’ Location Data

    The FBI has admitted to buying Americans’ location data from advertising companies, raising concerns across the spectrum.

    The Supreme Court ruled in 2018 that law enforcement agencies were required to obtain a warrant before tracking Americans’ locations using cell phone data. The case was a major blow to the FBI, and other agencies, many of whom had relied on warrantless location tracking.

    It appears the FBI has found a way around the Supreme Court ruling, purchasing location data from advertising companies, according to Wired. The revelation came in the course of a US Senate hearing.

    Senator Ron Wyden, a well-known privacy advocate, asked FBI Director Christopher Wray if the agency used commercial location data.

    “Does the FBI purchase US phone-geolocation information?” Wyden asked.

    “To my knowledge, we do not currently purchase commercial database information that includes location data derived from internet advertising,” Wray responded. “I understand that we previously—as in the past—purchased some such information for a specific national security pilot project. But that’s not been active for some time.”

    Director Wray did say the FBI now relies on a “court-authorized process,” but did not go into detail regarding what that meant.

    Even so, many were quick to jump on Wray’s admission, pointing out the dangerous precedent it sets.

    “The public needs to know who gave the go-ahead for this purchase, why, and what other agencies have done or are trying to do the same,” said Sean Vitka, a policy attorney at Demand Progress. He also said Congress should ban the practice.

  • WhatsApp and Signal Poised to Leave UK Over Encryption Law

    WhatsApp and Signal Poised to Leave UK Over Encryption Law

    United Kingdom users may be out of luck when it comes to messaging clients, with both WhatsApp and Signal prepared to leave.

    The UK is currently working to pass its Online Safety Bill, a piece of legislation that virtually all critics say would have a devastating impact on encryption and online security. Proponents of the bill have been accused of “magical thinking,” in which they believe encryption can be selectively weakened to catch bad guys.

    The UK’s government is

    WhatsApp and Signal have both come out saying they will refuse to weaken their encryption, a decision that would lead to them leaving the UK.

    “It’s a remarkable thing to think about,” said Will Cathcart, Meta’s head of WhatsApp, via The Guardian. “There isn’t a way to change it in just one part of the world. Some countries have chosen to block it: that’s the reality of shipping a secure product. We’ve recently been blocked in Iran, for example. But we’ve never seen a liberal democracy do that.

    “The reality is, our users all around the world want security,” added Cathcart. “Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users.”

    Similarly, Signal President Meredith Whittaker told the BBC: “We would absolutely 100% walk rather than ever undermine the trust that people place in us to provide a truly private means of communication.

    “We have never weakened our privacy promises, and we never would.”

    For its part, the British Home Office is recycling the age-old argument that there must be some way to protect privacy and simultaneously undermine it for the sake of catching criminals.

    “It is important that technology companies make every effort to ensure that their platforms do not become a breeding ground for paedophiles,” the Home Office stated.

    “The Online Safety Bill does not represent a ban on end-to-end encryption but makes clear that technological changes should not be implemented in a way that diminishes public safety – especially the safety of children online.

    “It is not a choice between privacy or child safety – we can and we must have both.”

    Unfortunately, as mathematicians, programmers, computer experts, privacy advocates, and many lawmakers have stated, that’s simply not how encryption works.

    “Encryption is either protecting everyone or it is broken for everyone,” Whitaker added.

    That fundamental law of mathematics is why Germany has come out opposed to a similar measure making its way through the EU, instead emphasizing the need to bolster traditional investigative methods to compensate.

  • Google Includes Free VPN Access With All Google One Accounts

    Google Includes Free VPN Access With All Google One Accounts

    Google is now giving all Google One plans free VPN access and has unveiled a tool to monitor personal data on the dark web.

    Google One is the company’s storage plans that give users several tiers to choose from, depending on their needs. The company offered its VPN by Google One for free to its top-tier plans, but is now providing it to all plans, regardless of tier.

    The company made the announcement in a blog post:

    VPN by Google One adds more protection to your internet activity no matter what apps or browsers you use, shielding it from hackers or network operators by masking your IP address. Without a VPN, the sites and apps you visit could use your IP address to track your activity or determine your location. Plus, we take several steps to make sure no one can tie your network traffic to your identity.

    Starting today, and rolling out over the next few weeks, we’re expanding VPN access to all Google One plans, including the Basic plan that starts at $1.99/mo. The VPN will be available in 22 countries across Android, iOS, Windows and Mac devices. You can also share the VPN with up to five others if they’re on your Google One plan.

    The company is also including its dark web report, giving users the ability to see if and when their data is posted on the dark web:

    Google One’s dark web report helps you scan the dark web for your personal info — like your name, address, email, phone number and Social Security number — and will notify you if it’s found. When you enable dark web report, you provide and select the information you’d like to keep an eye on within your monitoring profile. And if any matching info is found on the dark web, we’ll notify you and provide guidance on how you might protect that information. For example, if your Social Security number was found on the dark web, we might suggest you report it as stolen to the government or take steps to protect your credit.

    As we have pointed out before, there’s still the issue of trusting Google as a VPN provider. The company has a long history of privacy abuses, including ignoring users’ preferences regarding tracking and privacy.

    A VPN is only valuable if a user trusts the company providing the service. When the company providing the service primarily makes its money off of user data, it leaves one to wonder just how private their web browsing data will truly be.

    As we have said before, most users would be far better off using Mullvad or NordVPN instead.

  • Senators Introduce Bipartisan Bill Taking Aim at TikTok & Foreign Tech

    Senators Introduce Bipartisan Bill Taking Aim at TikTok & Foreign Tech

    A bipartisan bill has been introduced to the Senate, one that would take a comprehensive approach to foreign tech.

    Concerns have been growing about TikTok and the threat it poses to privacy and security. In addition to TikTok, US officials remain concerned about Huawei, ZTE, and a host of other companies that could pose a threat to national security.

    Senators Mark R. Warner and John Thune led a bipartisan group of 12 senators in introducing the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act.

    “Today, the threat that everyone is talking about is TikTok, and how it could enable surveillance by the Chinese Communist Party, or facilitate the spread of malign influence campaigns in the U.S. Before TikTok, however, it was Huawei and ZTE, which threatened our nation’s telecommunications networks. And before that, it was Russia’s Kaspersky Lab, which threatened the security of government and corporate devices,” said Sen. Warner. “We need a comprehensive, risk-based approach that proactively tackles sources of potentially dangerous technology before they gain a foothold in America, so we aren’t playing Whac-A-Mole and scrambling to catch up once they’re already ubiquitous.”

    “Congress needs to stop taking a piecemeal approach when it comes to technology from adversarial nations that pose national security risks,” said Sen. Thune. “Our country needs a process in place to address these risks, which is why I’m pleased to work with Senator Warner to establish a holistic, methodical approach to address the threats posed by technology platforms – like TikTok – from foreign adversaries. This bipartisan legislation would take a necessary step to ensure consumers’ information and our communications technology infrastructure is secure.”

    The new legislation would give the Secretary of Commerce the authority to crack down on any information or communications tech developed by a foreign company “in which any foreign adversary has any interest and poses undue or unacceptable risk to national security.”

    The bill would also prioritize communications and tech that constitutes “critical infrastructure,” as well as enable the Commerce Secretary to take comprehensive action, including educating the public and businesses about potential security threats from foreign tech.

    “We need to protect Americans’ data and keep our country safe against today and tomorrow’s threats. While many of these foreign-owned technology products and social media platforms like TikTok are extremely popular, we also know these products can pose a grave danger to Wisconsin’s users and threaten our national security,” said Sen. Baldwin. “This bipartisan legislation will empower us to respond to our fast-changing environment – giving the United States the tools it needs to assess and act on current and future threats that foreign-owned technologies pose to Wisconsinites and our national security.”

    “There are a host of dangerous technology platforms – including TikTok – that can be manipulated by China and other foreign adversaries to threaten U.S. national security and abuse Americans’ personal data. I’m proud to join Senator Warner in introducing bipartisan legislation that would put an end to disjointed interagency responses and strengthen the federal government’s ability to counter these digital threats,” said Sen. Fischer.

  • Acer Suffers Data Breach, 160GB of Data For Sale Online

    Acer Suffers Data Breach, 160GB of Data For Sale Online

    Acer has confirmed a data breach, one that has resulted in 160GB of data being posted for sale online.

    According to BleepingComputer, bad actors compromised “a server hosting private documents used by repair technicians.” The data, some 160GB worth, was allegedly stolen in mid-February and has since been posted for sale on a popular hacking forum.

    Acer confirmed the breach in a statement to BleepingComputer:

    “We have recently detected an incident of unauthorized access to one of our document servers for repair technicians.

    “While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server.” – Acer.

    Hopefully, Acer’s initial evaluation will prove true. Unfortunately, not only have major data breaches been on the rise, but it’s becoming far more common for initial investigations to reveal only half the story, with subsequent investigations revealing the scope of the breaches being far more than originally thought.

    For now, anyway, customers appear to have dodged the bullet. We will continue to monitor and update as more details become available.

  • Verizon Reportedly Suffered a Breach Exposing 7.5M+ Customer Records

    Verizon Reportedly Suffered a Breach Exposing 7.5M+ Customer Records

    Verizon is the largest US carrier, but it appears to have joined T-Mobile in the ranks of those recently suffering a data breach.

    According to the SafetyDetectives cybersecurity team, a database containing 7.5 to 9 million Verizon customer records has been been uploaded to an online forum. The records include data for both cellular and home internet customers.

    According to SafetyDetectives, the data does not appear to be particularly sensitive, although it is recent, with the forum post claiming the data was “stolen by hackers” in January 2023.

    Our researcher believes that the leaked database contains data stored by Verizon prior to January 2022. SafetyDetectives has reached this conclusion concerning the timeframe due to clues hidden in the filenames contained in the records. However, we cannot be conclusive with these indicators alone.

    Overall, the breach does not appear to be cause for much direct concern, although the data could be cross-referenced with other breaches to build a more complete profile of impacted users.

    While the information contained in the records does not appear to be highly sensitive or to contain Personal Identifiable Information (PII) – such as full names or physical addresses – some of the data points could be merged with other leaks. For example, if combined with an existing PII leak, an attacker could have a higher chance of success in impersonating a customer.

  • Dish Network Customer Data Stolen in Ransomware Attack

    Dish Network Customer Data Stolen in Ransomware Attack

    More details have emerged regarding Dish Network’s recent outage, including the fact that customer data was stolen in the incident.

    Dish began experiencing major issues Thursday morning, with employees unable to work or access internal systems. The company’s website was also down. At the time, CEO Erik Carlson chalked it up to an “internal outage.”

    In a filing with the SEC, however, the company has admitted the issue was the result of a ransomware attack, one that compromised customer data:

    On February 27, 2023, the Corporation became aware that certain data was extracted from the Corporation’s IT systems as part of this incident. It is possible the investigation will reveal that the extracted data includes personal information. The measures described above are continuing while the Corporation, with the assistance of third-party experts and advisors, investigates the extent of the cyber-security incident.

    The company is working to restore the impacted services and is working with law enforcement.

  • BlackLotus Malware Is the First to Bypass Secure Boot

    BlackLotus Malware Is the First to Bypass Secure Boot

    Computer security became a little more challenging, with the BlackLotus malware becoming the first to bypass Secure Boot.

    Secure Boot is a method of signing the kernel and various boot components, ensuring that no malicious software can be inserted into the boot process and compromise a machine. While there have been many claims of malware that can bypass secure boot, BlackLotus is the first.

    According to ESET malware analyst Martin Smolár, “the first publicly known UEFI bootkit bypassing the essential platform security feature – UEFI Secure Boot – is now a reality.”

    Smolár goes on to discuss ESET’s findings, including the fact that BlackLotus can compromise even “the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.”

    The malware uses a vulnerability that was patched more than a year ago because “the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.”

    In many ways, a bootkit like BlackLotus is the Holy Grail of exploits because the bootkit has “full control over the OS boot process and thus capable of disabling various OS security mechanisms and deploying their own kernel-mode or user-mode payloads in early OS startup stages.”

    Because the bootkit hijacks the process early on, attackers can even enroll their own keys in the system so that the malware can have unfettered access without tripping any security measures.

    ESET’s research is disturbing on many levels, not the least of which is the fact that BlackLotus can be delivered both off and online. This means an attacker does not need physical access to a device in order to compromise it.

    To make matters worse, it appears the vulnerability BlackLotus exploits is not the only one.

    “UEFI Secure Boot stands in the way of UEFI bootkits, but there are a non-negligible number of known vulnerabilities that allow bypassing this essential security mechanism,” writes Smolár. “And the worst of this is that some of them are still easily exploitable on up-to-date systems even at the time of this writing – including the one exploited by BlackLotus.”

    At this point, there are not absolute mitigation measures, only a combination of things that can reduce the likelihood of a compromise. Once a computer is compromised, the safest thing to do is to reinstall it and use the mokutil utility to delete the signed key BlackLotus deposits that enables it to bypass Secure Boot.

  • NDR: The Next Generation of Cyber Security

    NDR: The Next Generation of Cyber Security

    Cyberattack potential is expanding as the digital world expands and changes. The “pandemic era” of 2020–2021 saw a 150% spike in ransomware assaults. A total of 236.1 million ransomware assaults have been recorded in only the first half of 2022. The more frequent cyberattack is ransomware, which captures and holds crucial data from a business and only releases it once the attacker receives a predetermined sum of money. The failure of conventional security methods is a significant contributing element to the increase in these assaults.

    Basic Cyber Security Will No Longer Cut It

    Their inability to adapt to recognize newer and more sophisticated dangers is the only factor contributing to their collapse. Current security methods can discover a breach in 287 days on average. This gives the breach more than enough time to succeed several times. The “dwell time” between “stealth” assaults and intrusions grew by 36% in 2022, providing a slim window for detection and interruption of incursions. Another important thing to keep in mind is that modern cybercriminals are trying to hide their trails by erasing their logs so they can’t be found. A fresh strategy must be implemented for safeguarding the online environment. However, it’s crucial to pinpoint the danger to network security, which has been nicknamed “dark space.”

    Dark space can be described as any network infrastructure that is not listed in the “golden store” of configuration data. Firewalls, routers, proxies, load balancers, endpoints, and hosts are all part of this data. More startling perhaps is the fact that 70% of networks are dark space. Encryption was traditionally used to hide sensitive data and make data theft more difficult. Nowadays, cybercriminals hide their operations by employing technology that is encrypted. In actuality, 91.5% of malware transits across encrypted networks.

    How Confident are IT Experts in Identifying Encrypted Cyberattacks? 

    59% of them admitted that they are unaware of all device-to-device communications on their network. They also stated that they lack the instruments necessary to identify, intercept, and assess threats, which makes them uneasy handling encrypted communications. Unfortunately, they are not alone in feeling this way since 79% of businesses have trouble finding dangers concealed in encrypted data. They don’t feel certain that they fully comprehend how to identify and prevent digital assaults.

    Network detection and response platforms (NDR) are the cybersecurity technology of the future. NDR identifies unusual network activity so that a tech team may respond to hidden hazards more quickly. Without decrypting anything, this software examines encrypted traffic to find malware during protected network connections. Additionally, it keeps an eye on how all network traffic moves and looks for external threats. Additionally, NDR can link any malicious activity to a specific IP address, making it possible to find attackers even if they erase the logs. Finally, NDR offers immediate notifications to speed up event reaction times.

    In Conclusion

    However, this is merely basic NDR. An NDR platform that will be supported by AI will be in the works to navigate dark space with greater intelligence and adaptability. Dubbed “ThreatEye,” makes use of the NDR platform to create a fingerprint of all asset and behavior patterns and keeps an eye out for unusual activity.

    What is Network Detection & Response?
    Source: Live Action
  • National Cyber Strategy Puts Cybersecurity Burden on Big Tech

    National Cyber Strategy Puts Cybersecurity Burden on Big Tech

    The White House unveiled its National Cyber Strategy, shifting the burden of providing security from individuals to Big Tech.

    Cybersecurity has become a major issue for individuals, businesses, and government agencies, with hardly a day going by without disclosure of another data breach. According to CNBC, a key component of the new strategy is putting the burden of protection on Big Tech, the segment best equipped to address security issues.

    “The president’s strategy fundamentally reimagines America’s cyber social contract,” Acting National Cyber Director Kemba Walden said during a press briefing on Wednesday. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.”

    Walden added, “the biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”

    The strategy document emphasizes the importance of the public and private sectors working together:

    The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem. Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity. A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences. Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.

    Instead, across both the public and private sectors, we must ask more of the most capable and best- positioned actors to make our digital ecosystem secure and resilient. In a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems. Government’s role is to protect its own systems; to ensure private entities, particularly critical infrastructure, are protecting their systems; and to carry out core governmental functions such as engaging in diplomacy, collecting intelligence, imposing economic costs, enforcing the law, and, conducting disruptive actions to counter cyber threats. Together, industry and government must drive effective and equitable collaboration to correct market failures, minimize the harms from cyber incidents to society’s most vulnerable, and defend our shared digital ecosystem.

    The National Cyber Strategy echoes sentiments voiced by Google, in which the company threw its support behind companies being held responsible for cybersecurity. Google also emphasized the need for companies to build systems that are fundamentally more secure — rather than offloading that burden on the average user.

  • Google Cloud May Be Vulnerable to Unnoticed Data Theft

    Google Cloud May Be Vulnerable to Unnoticed Data Theft

    Google Cloud may be more vulnerable than its competitors to unnoticed data theft, thanks to logs that are not as helpful as they should be.

    Cybersecurity firm Mitiga analyzed Google Cloud’s online storage and found that the platform’s logging mechanism comes up woefully short in terms of providing useful information. This is especially concerning since these logs are used by security professionals and law enforcement to identify the scope of a potential breach.

    According to Mitiga, Google’s current logging system cannot effectively differentiate between a threat actor viewing data versus exfiltrating it:

    Even with the detailed logging constraint applied, Google logs events of reading Metadata of an object in a bucket the same way it logs events of downloading the exact same object. This lack of coverage means that when a threat actor downloads your data or, even worse, exfiltrates it to an external bucket, the only logs you would see will be the same as if the TA just viewed the metadata of the object.

    While this issue doesn’t inherently make Google Cloud any more insecure than the next cloud provider, it does mean that customers impacted by a data breach on Google Cloud may have a much harder time taking the appropriate investigative action.

    Mitiga reached out to Google Cloud and received the following response:

    “The Mitiga blog highlights how Google’s Cloud Storage logging can be improved upon for forensics analysis in an exfiltration scenario with multiple organizations. We appreciate Mitiga’s feedback, and although we don’t consider it a vulnerability, have provided mitigation recommendations.”

  • Hackers Had Access to News Corp’s Systems For Two Years

    Hackers Had Access to News Corp’s Systems For Two Years

    News Corp has revealed that a previously acknowledged breach was much worse than originally thought.

    News Corp, which owns The Wall Street Journal, revealed in February 2022 that it had suffered a cybersecurity breach. The company said the breach involved “persistent cyberattack activity” in a third-party cloud service it used.

    Unfortunately, in a breach notification first spotted by Ars Technica, the company has admitted that the breach went on for two years:

    “Based on the investigation, News Corp understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails from a limited number of its personnel’s accounts in the affected system, some of which contained personal information,” the letter stated. “Our investigation indicates that this activity does not appear to be focused on exploiting personal information.”

    The company did say that it does not believe any fraud or identity theft has been committed as a result of the breach. Instead, News Corp told Ars that investigators “believe that this was an intelligence collection.”

    That conclusion would certainly be in line with conclusions gathered last year when the breach was first discovered. At the time, News Corp enlisted security firm Mandiant to help it resolve the situation. Mandiant’s conclusion was that the attack was carried out by hackers affiliated with the Chinese government.

  • Hackers Reportedly Compromised T-Mobile 100+ Times in 2022

    Hackers Reportedly Compromised T-Mobile 100+ Times in 2022

    T-Mobile does not have a good reputation when it comes to cybersecurity, and that’s about to get a whole lot worse.

    T-Mobile has had multiple cybersecurity breaches over the last few years, impacting tens of millions of users and costing the company hundreds of millions in settlements. Unfortunately, that may be just the tip of the iceberg, according to a new report from Krebs on Security.

    According to Krebs, three different hackers groups claim to have accessed the company’s internal systems:

    Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

    The hackers’ goal was SIM-swapping, a term for when a hacker is able to gain control over a victim’s cellphone number.

    The data regarding attacks was collected by monitoring various Telegram channels used by the hacker groups. The message “Tmobile up!” or “Tmo up!” was posted anytime a hacker successfully SIM-swapped a target.

    Krebs initially planned on counting the instances for all of 2022, working backward from the end of the year. Unfortunately, the number of hacks racked up much faster than anticipated.

    But by the time we got to claims made in the middle of May 2022, completing the rest of the year’s timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days — often with multiple groups claiming access on the same days.

    It’s unclear why T-Mobile is suffering so many of these attacks. While there are similar efforts against Verizon and AT&T, the number of successful attempts is far less. Some experts believe the magenta carrier is not doing enough to secure its systems.

    “These breaches should not happen,” said Nicholas Weaver, a UC Berkeley researcher. “Because T-Mobile should have long ago issued all employees security keys and switched to security keys for the second factor. And because security keys provably block this style of attack.”

    For its part, T-Mobile told Krebs it is combating the issue while also emphasizing it is an industry-wide problem.

    “And we are constantly working to fight against it,” the statement reads. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”

    There is evidence to suggest the company is making progress, with the hacker groups complaining that their access after a successful swap is being severed much sooner than before. Some have even theorized that T-Mobile’s security team may be monitoring the Telegram channels.

    While it’s encouraging to see T-Mobile is making progress, it’s still disturbing that the company is experiencing this many breaches.

  • GoDaddy Suffered Multi-Year Breach, Malware Installed On Servers

    GoDaddy Suffered Multi-Year Breach, Malware Installed On Servers

    GoDaddy has informed customers it suffered a multi-year breach, one that involved hackers installing malware on its servers.

    GoDaddy said it started receiving complaints from customers in December 2022. Some customers reported their websites intermittently redirecting to other domains. The company investigated, but the issue was difficult to prove since it appeared to be happening randomly across its customer base.

    Ultimately, the company realized it had been hacked and malware was responsible for the unusual behavior:

    As our investigation continued, we discovered that an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites. Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections.

    In the company’s 10-K filing, it acknowledged the breach was the result of a multi-year campaign against the it:

    Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.

    GoDaddy says it is applying the lessons it has learned from this breach in an effort to improve security. The company also says “these incidents as well as other cyber threats and attacks have not resulted in any material adverse impact to our business.”

    Despite its assurances, it’s a safe bet many customers will likely start migrating away from GoDaddy to more secure hosting services, something that will likely have a major impact on its business.

  • Apple Releases macOS Big Sur Security Update

    Apple Releases macOS Big Sur Security Update

    Apple has released a security update to its Big Sur version of macOS, bringing it to version 11.7.4.

    Big Sur was originally released in November 2020, and has since been superseded by macOS Monterey and macOS Ventura. Nonetheless, Apple has a solid track record of providing fixes for older versions of macOS.

    According to the company’s support page, “this update has no published CVE entries,” but users should still apply it as soon as possible to be safe.

  • Google Sides With US in Holding Companies Responsible for Cybersecurity

    Google Sides With US in Holding Companies Responsible for Cybersecurity

    Google and the US government may be at odds about many things, but the two are in agreement on one big one: who should be responsible for cyberattacks.

    In a blog post by Kent Walker, President, Global Affairs & Chief Legal Officer, and Royal Hansen, VP of Engineering for Privacy, Safety, and Security, the executives make the case that companies should be responsible for improving cybersecurity:

    “Should companies be responsible for cyberattacks? The U.S. government thinks so – and frankly, we agree.”

    The two execs then quote Jen Easterly and Eric Goldstein of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security:

    “The incentives for developing and selling technology have eclipsed customer safety in importance. […] Americans…have unwittingly come to accept that it is normal for new software and devices to be indefensible by design. They accept products that are released to market with dozens, hundreds, or even thousands of defects. They accept that the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.”

    Walker and Hansen go on to lament that cyber threats are growing, taking advantage of “insecure software, indefensible architectures, and inadequate security investment.” The solution is a complete rethinking of how software is designed and deployed.

    “The bottom line: People deserve products that are secure by default and systems that are built to withstand the growing onslaught from attackers,” the executives write. “Safety should be fundamental: built-in, enabled out of the box, and not added on as an afterthought. In other words, we need secure products, not security products. That’s why Google has worked to build security in – often making it invisible – to our users. Many of our most significant security features, including innovations like SafeBrowsing, do their best work behind the scenes for our core consumer products.”

    The executives emphasize the importance of security being smooth and streamlined, not the cumbersome experience that often exists today, and that results in customers choosing insecurity over inconvenience. Walker and Hansen also recognize there is no silver bullet but that significant steps can and should be taken to greatly improve the status quo.

    “Of course, raising the security baseline won’t stop all bad actors, and software will likely always have flaws – but we can start by covering the basics, fixing the most egregious security risks, and coming up with new approaches that eliminate entire classes of threats,” they add. “Google has made investments in the past two decades, but contributing resources is just a piece of the puzzle. It’s work for all of us, but it’s the responsible thing to do: The safety and security of our increasingly digitized world depends on it.”