Is the skills gap preventing you from executing your enterprise strategy?

As many business leaders look to close the skills gap and cultivate a sustainable workforce amid COVID-19, an IBM Institute for Business Value (IBV) study reveals less than 4 in 10 human resources (HR) executives surveyed report they have the skills needed to achieve their enterprise strategy.

skills gap enterprise

COVID-19 exacerbated the skills gap in the enterprise

Pre-pandemic research in 2018 found as many as 120 million workers surveyed in the world’s 12 largest economies may need to be retrained or reskilled because of AI and automation in the next three years.

That challenge has only been exacerbated in the midst of the COVID-19 pandemic – as many C-suite leaders accelerate digital transformation, they report inadequate skills is one of their biggest hurdles to progress.

Employers should shift to meet new employee expectations

Ongoing consumer research also shows surveyed employees’ expectations for their employers have significantly changed during the COVID-19 pandemic but there’s a disconnect in how effective leaders and employees believe companies have been in addressing these gaps.

74% of executives surveyed believe their employers have been helping them learn the skills needed to work in a new way, compared to just 38% of employees surveyed, and 80% of executives surveyed said their company is supporting employees’ physical and emotional health, but only 46% of employees surveyed agreed.

“Today perhaps more than ever, organizations can either fail or thrive based on their ability to enable the agility and resiliency of their greatest competitive advantage – their people,” said Amy Wright, managing partner, IBM Talent & Transformation.

“Business leaders should shift to meet new employee expectations brought on by the COVID-19 pandemic, such as holistic support for their well-being, development of new skills and a truly personalized employee experiences even while working remotely.

“It’s imperative to bring forward a new era of HR – and those companies that were already on the path are better positioned to succeed amid disruption today and in the future.”

The study includes insights from more than 1,500 global HR executives surveyed in 20 countries and 15 industries. Based on those insights, the study provides a roadmap for the journey to the next era of HR, with practical examples of how HR leaders at surveyed “high-performing companies” – meaning those that outpace all others in profitability, revenue growth and innovation – can reinvent their function to build a more sustainable workforce.

Additional highlights

  • Nearly six in 10 high performing companies surveyed report using AI and analytics to make better decisions about their talent, such as skilling programs and compensation decisions. 41% are leveraging AI to identify skills they’ll need for the future, versus 8% of responding peers.
  • 65% of surveyed high performing companies are looking to AI to identify behavioral skills like growth mindset and creativity for building diverse adaptable teams, compared to 16% of peers.
  • More than two thirds of all respondents said agile practices are essential to the future of HR. However, less than half of HR units in participating organizations have capabilities in design thinking and agile practices.
  • 71% of high performing companies surveyed report they are widely deploying a consistent HR technology architecture, compared to only 11% of others.

“In order to gain long-term business alignment between leaders and employees, this moment requires HR to operate as a strategic advisor – a new role for many HR organizations,” said Josh Bersin, global independent analyst and dean of the Josh Bersin Academy.

“Many HR departments are looking to technology, such as the cloud and analytics, to support a more cohesive and self-service approach to traditional HR responsibilities. Offering employee empowerment through holistic support can drive larger strategic change to the greater business.”

skills gap enterprise

Three core elements to promote lasting change

According to the report, surveyed HR executives from high-performing companies were eight times as likely as their surveyed peers to be driving disruption in their organizations. Among those companies, the following actions are a clear priority:

  • Accelerating the pace of continuous learning and feedback
  • Cultivating empathetic leadership to support employees’ holistic well-being
  • Reinventing their HR function and technology architecture to make more real-time data-driven decisions

Save 40% on CISSP or CCSP training until November 30

Achieving the globally respected (ISC)² CISSP or CCSP certifications can catapult your career, leading to more credibility, better opportunities and increased earning potential.

To help you stay committed to your certification, through November 30, (ISC)² is offering a 40% discount off Official CISSP and CCSP Online Instructor-Led Trainings when you bundle with an exam voucher. Training seats are limited, so secure your spot today!


Online instructor-led training and exam bundle

Your bundle includes:

  • Direct access to an (ISC)² Authorized Instructor
  • Exam voucher (valid for 12 months)
  • Official (ISC)² Student Training Guide (electronic, 1-year access)
  • Interactive flash cards
  • Post-course assessment
  • Continued access to course content for 6 months

Official (ISC)² online instructor-led training

Perfect for distance learning, this hands-on training format offers the structure of real-time class in a virtual setting, with the option to access course recordings. And since it’s Official (ISC)² Training you will be learning the most relevant, up-to-date content developed by (ISC)², creator of the CISSP and CCSP Common Body of Knowledge (CBK).

View training schedule and don’t miss iut! Offer ends November 30, 2020.

Honeywell launches Honeywell Secure Media Exchange to protect against malicious USB attacks

Honeywell announces the launch of Honeywell Secure Media Exchange (SMX) R201.1, an enterprise software offering to better protect users from advanced malware and firmware-based cybersecurity attacks from USB drives and other removable media.

Honeywell SMX can help organizations reduce cybersecurity risk and operational disruption through advanced threat detection capability for operating environments including those in critical infrastructure.

“We are excited to expand Honeywell SMX as an enterprise security solution to include hardware device management with our TRUST V2 [Trusted Response User Substantiation Technology],” said Jeff Zindel, vice president and general manager, Honeywell Connected Enterprise Cybersecurity.

“This TRUST V2 technology allows a user to confirm a device during the authentication stage, validating that a USB device is legitimate. Honeywell SMX improves security for industrials and organizations across industries by providing increased safety, improved efficiency, better visibility and management, and more control over hardware devices. Overall, it can help greatly reduce the risk of downtime and production interruptions due to cyberattacks.”

Honeywell SMX now includes an Enterprise Threat Management Portal to give users a view of all USB device activity across the organization, with the additional ability to implement file management features while centralizing reporting.

In a time when more employees are working remotely, Honeywell SMX provides better control and visibility to detect potential sources of intrusions. It also increases the safety of patches or updates while simultaneously improving their efficiency.

All patches and updates can be validated prior to arrival at the facility, speeding up scan times and allowing operators to complete their work faster and safer than ever before.

“It’s not only removable media and malware that we need to worry about. USB devices of all types have become an increasingly serious risk to organizations, capable of crossing the air gap and targeting OT,” said Eric Knapp, director of Cybersecurity Research and Senior Fellow, Honeywell Connected Enterprise, Cybersecurity.

“Honeywell SMX provides customers with an enforceable USB security solution that better protects against all types of USB threats, from hardware attack platforms to the latest targeted malware.”

Zerto Data Protection: Continuous data protection to all app tiers displacing traditional backup

Zerto launched Zerto Data Protection (ZDP), which displaces traditional backup with continuous data protection (CDP) for all applications. By offering a new, cost-effective backup solution, Zerto is bringing the power of its award-winning CDP to all applications at a much lower TCO.

“At Zerto, we have always worked with our customers to deliver backup and data protection solutions that align with their enterprise IT infrastructure strategies,” commented Gil Levonai, CMO and senior vice president of product, Zerto.

“As the pioneers of CDP, our customers have experienced the many benefits of continuous data protection and asked us to utilize it also for their lower tier workloads. We listened and are now delivering a new offering that I personally believe will change the backup market—an industry that hasn’t evolved in more than 30 years.

“ZDP gives businesses a data protection strategy for all of their applications with significant TCO savings tailored to their unique needs.”

Zerto Data Protection (ZDP) delivers 50% TCO savings by reducing hardware needs, enabling recovery of data without downtime or data loss, and is priced for backup use cases.

ZDP delivers:

  • Local continuous backup for day-to-day backup restores – Local journaling technology allows you to recover without the data loss, downtime, or production impact that are inherent to traditional backup solutions ensuring business continuity and availability.
  • Long-term retention on-premises or in the public cloud – Required for compliance and regulatory demands where data needs to be stored for months and years, data is incrementally copied from the journal into cost-effective storage on-premises or in the public cloud with Microsoft Azure and AWS, driving cost optimization and the elimination of problematic backup windows. Long-term retention is about adhering to compliance requirements while optimizing costs.

“Continuous Data Protection is an important part of an organization’s data protection strategy,” said Maura Hameroff, director, Azure marketing, Microsoft Corp. “Zerto is meeting the performance requirements of Azure’s diverse users by delivering a cost-effective solution optimized for individual needs.”

“Ensuring our public services and data are available 24/7 despite planned or unplanned IT disruptions is critical to the success and well-being of Grey County residents,” said Evan Davis, technology and infrastructure manager, Grey County.

“With the Zerto Platform, we’ve been able to achieve a much stronger data protection strategy with greater agility within Azure while significantly reducing capital and operational costs.

“Zerto gives us the ability to completely automate recovery while achieving RPOs of seconds and RTOs of minutes. We’re also very excited to gain the capability of long-term retention of data in Azure for our compliance needs.”

Xi Jinping tells China to get busy quickening quantum everything to build ‘new advantages for development’

Chinese president Xi Jinping has told the nation to hurry up and do whatever it takes to commercialise quantum technology.

In a speech to a group study session of the Political Bureau of the Communist Party of China’s Central Committee last week, Xi called for the nation’s boffins to pursue independent research and make breakthroughs in core technologies.

State-run media, which reported the speech, said the “chairman of everything” wants China to “ensure the safety of industrial and supply chains, and enhance China’s ability of responding to international risks and challenges with science and technology.”

Local outlets say Xi also “called for efforts to foster strategic emerging industries such as quantum communications to gain an upper hand in international competition and build new advantages for development.”

The mention of communications is notable given that China has already demonstrated quantum key distribution and done so from a satellite that carries particles entangled with earthbound matter. With quantum encryption widely regarded as utterly impervious to decryption, calling for China to build a “new advantage” through quantum technology has potentially significant implications.

President Xi of China

Xi Jinping again urges China to home-grow more ‘core’ tech, faster


China has fewer quantum computing wins to trumpet, but state media have talked up innovations that could lead to a million-qubit system inside a decade. If built with local tech, such a machine could do to US import bans what a working million-qubit machine does to a Xeon – make it look utterly irrelevant!

By way of contrast, IBM in September outlined a quantum roadmap that promised to deliver a 1,121-qubit machine in 2023 and suggested million-qubit boxes as the next step without putting a date on when they might be delivered.

Beam of light

China flaunts quantum key distribution in-SPAAACE by securing videoconference


Can China get ahead in quantum? The nation’s rapid industrialisation shows it can quickly achieve extraordinary feats. Yet China’s ambitions to build more semiconductors have foundered amid odd corporate contortions and some more conventional problems building very complex manufacturing facilities. Quantum tech is more complex still and won’t bend to Xi’s will. ®

Protiviti launches privacy offering in response to the evolving privacy landscape exacerbated by COVID-19

Protiviti has launched a new privacy offering in response to the evolving privacy landscape, which has been exacerbated by the Covid-19 pandemic.

Privacy as a Service (Protiviti PraaS), is a managed service privacy offering helping companies assess their privacy needs, implement effective compliance measures and respond to new and changing regulations.

“You cannot have privacy without security – the two go hand in hand. In the current environment where employees are working remotely all over the world, it’s more important than ever that businesses have comprehensive policies, controls and assessments in place and that privacy concerns aren’t pushed to the backburner,” said Curt Dalton, managing director and global leader of Protiviti’s Security and Privacy practice.

The customized Protiviti PraaS privacy offering is focused around five main priority areas, allowing companies to focus on their core operations by automating privacy-related functions and providing much needed support and expertise when it comes to managing corporate data and keeping up with changing legislation across jurisdictions globally:

  • Recurring data inventory, classification and assessments
  • Data subject rights (DSR) request management
  • Privacy platform management
  • Privacy by design assessment and engineering
  • Monitoring privacy legislation and program management

Additionally, recruiting and retaining talent who have the skills required to react, respond and advise on the complex and ever-changing privacy landscape continues to pose a substantial hurdle for organizations, especially mid-sized firms.

“All industries are compelled to enhance their privacy protections due to increased regulation, from GDPR to the Privacy Shield, and from rising client expectations for firms to protect their data. Companies, especially small and mid-sized organizations, are struggling to find the right talent to achieve and maintain compliance.

“Protiviti PraaS service was born out of client demands for a cost-effective, sustainable privacy solution for businesses that lack the budget and capabilities for a full in-house privacy team,” said Terry Jost, a Protiviti managing director and leader of the firm’s Managed Security Services.

“We can provide end-to-end expertise to our clients, from preventative measures to ongoing privacy management and through resolution of obligations.”

Thailand calls on telcos and ISPs to censor information about pro-democracy protests

Thailand has asked the nation’s telcos and internet service providers to censor communication about a wave of protests sweeping the country and made it an offence to take a selfie at protest events.

The reasons for the protests are many and complex but centre on citizens’ belief that progress from military-centric government to a more democratic system has not been as rapid as they desire, or the nation needs. The nation’s Monarch has also disrupted norms by expressing a preference for current arrangements to persist, while also taking personal ownership of royal assets felt to be owned by the public.

With COVID-19 complicating matters mightily, protestors have taken to the streets in recent months in the hope of securing change. Late last week the government declared a state of emergency that forbade gatherings of more than five people and closed public transport, restrictions that were aimed at making protests illegal and difficult to stage even if participants wished to flout the law. The government said the protests threaten the safety of public assets, national security and the safety of the monarch himself as some events took place close to the route of royal processions.

Burning laptop

Red Hot Chili Packets! New submarine cable to land in home of cult Sriracha sauce


Minister for the digital economy and society Putthipong Punnakan then announced talks with mobile carriers and ISPs to prevent dissemination of information about the protests or accounts of them created by participants.

A selfie ban followed, complete with fines of US$1,280 and the possibility of two-year jail terms. Authorities can also confiscate smartphones.

Protest organisers responded by organising more protests and advising participants not to post selfies! Indeed, at least five major protests appear to have taken place in the Thai capital Bangkok yesterday alone, with more planned. Authorities dispersed some with water cannon. ®

If you’re feeling down, know that we’ve just buried a heat sensor in an alien planet. If NASA can get through Mars soil, we can get through 2020

NASA’s off-again, on-again Mars digger nicknamed the mole is finally buried in the planet’s soil and will take readings beneath the surface next year.

If you’ve been following this Martian drama closely, you’ll know that the instrument, which came to the unforgiving dust world with NASA’s InSight lander, has been in a spot of bother for more than a year. The probe was designed to burrow at least three metres into the Martian soil to take the planet’s temperature.

Officially known as the Heat Flow and Physical Properties Package (HP3), the rod-like mole hammered itself about 35cm into the Red Planet after it was deployed in February 2019. It then got stuck in a type of soil NASA hadn’t anticipated, and later bounced out, ruining its progress. The experiment’s scientists decided to fix the problem by pushing the gizmo into the soil using a scoop attached to a robotic arm, allowing it to continue digging down.

NASA Mars InSight Lander (pic: NASA/JPL-CALTECH)

Probe … Illustration of the InSight lander and its HP3 temperature sensor on the right … Credit: NASA/JPL-Caltech

Now, NASA has reported the mole is fully embedded under the surface of Mars, and it should be up and running as an instrument early next year. Ground control will use the scoop to push soil on top of the probe to provide more friction for it to drill down further. Here’s how NASA described the problem and the solution:

“I’m very glad we were able to recover from the unexpected ‘pop-out’ event we experienced and get the mole deeper than it’s ever been,” said Troy Hudson, an engineer at NASA’s Jet Propulsion Laboratory, who led the work to rescue the mole, on Friday.

“But we’re not quite done. We want to make sure there’s enough soil on top of the mole to enable it to dig on its own without any assistance from the arm.” ®

Google Offers Fresh Details on China-Linked Hacking Group

Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , DDoS Protection

Analysis Shines Light on Group that Targeted Biden’s Campaign Offices

Google Offers Fresh Details on China-Linked Hacking Group

A report issued Friday by Google’s Threat Analysis Group offers fresh details about the Chinese-linked hacking group that targeted Joe Biden’s campaign offices earlier this year with phishing emails.

See Also: Live Webinar | Unlocking the Full Potential of Public Key Infrastructure

In June, Google released an analysis that found an advanced persistent threat group called APT31 had targeted the Biden campaign offices with phishing emails, although these attacks did not prove successful. The same report also found an Iranian-backed group used similar techniques against President Donald Trump’s campaign (see: Google: Phishing Attacks Targeted Trump, Biden Campaigns).

In the new report, Google TAG notes that APT31, which is also known as Zirconium, used GitHub to host malware and also utilized Dropbox as the command-and-control infrastructure all to avoid detection and hide from security tools. The report did not say specifically if these techniques were the same as those used against the Biden campaign.

“Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection,” Shane Huntley, head of Google’s Threat Analysis Group, noted in the report.

As it did when the phishing campaigns against the Biden and Trump campaigns were first detailed in June, Google has shared this information with the FBI for further investigation. Overall, Google sent over 10,000 warnings about government-backed threats in the third quarter of this year, noting an increase in activity that has targeted political campaigns, according to the report.

In the final two weeks before the November election, the amount of nation-state activity that targets the Biden, Trump and other campaigns is likely to increase, making this a crucial time when it comes to cybersecurity, says Chris Pierson, CEO and founder of security firm BlackCloak.

“Over the past four years this attention has only picked up with target profiling activities starting early, regardless of party or candidate,” Pierson tells Information Security Media Group. “As races enter the final stretch, this attention only increases, the targeted phishing and other attacks increases, and the focus on reputational risks becomes more a target of opportunity.”

APT31 Details

In the report, the Google TAG researchers note that the phishing emails used by APT 31 contained malicious links that if clicked, would attempt to download malware hosted on GitHub, according to the report.

In this case, the malware was a Python-based implant and if installed would allow the hackers to upload and download files as well as execute arbitrary commands, according to the report. The malicious code would also connect to the command-and-control server hosted on Dropbox

In one case, the phishing emails came disguised as updates from security firm McAfee that urged the targeted victim to install updated security software, according to the report.

Phishing email disguised as McAfee update (Source: Google)

“The targets would be prompted to install a legitimate version of McAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system,” according to the Google report.

Tom Kellermann, the head of cybersecurity strategy at VMware who served as a cybersecurity adviser to former President Barack Obama, notes that the Google report shines an important light on the capabilities of groups such as APT31.

“APT 31 has dramatically improved their kill-chain by using Python and leveraging GitHub for distribution,” Kellermann tells ISMG.

Other hacking groups linked to China have also sought to utilize legitimate cloud services as a way to disguise their activities. In September, Microsoft announced that it had removed 18 apps from its Azure cloud computing platform that were being used by a Chinese hacking group called Gadolinium as part of its command-and-control infrastructure to help launch phishing email attacks (see: Microsoft Shutters Azure Apps Used by China-Linked Hackers).

DDoS Threats

In addition to the details about the phishing campaigns, the Google report notes that the company is tracking increases in distributed denial-of-service attacks that have been increasing over the last several months. Over the last month, FBI and the U.S. Cybersecurity and Infrastructure Security Agency have also warned about an uptick in DDoS activity that could affect the November election (see: FBI, CISA Warn of DDoS Attacks Targeting November Election).

“While it’s less common to see DDoS attacks rather than phishing or hacking campaigns coming from government-backed threat groups, we’ve seen bigger players increase their capabilities in launching large-scale attacks in recent years,” according to the Google TAG report.

As part of the report, Google also disclosed that it fended off a 2.54 TB per second DDoS attack in 2017 that is likely the largest publicly disclosed DDoS attack ever reported. In February, Amazon Web Services reported a 2.3 TB per second DDoS attack (see: European Bank Targeted in Massive Packet-Based DDoS Attack).

List of larges DDoS attacks recorded (Source: Google)

“Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack” Damian Menscher, a security reliability engineer with Google noted in a separate report. “Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact.”

The Google report noted that the 2017 DDoS attack appeared to originate with four Chinese internet service providers and the operation behind the attack appeared well funded. The company disclosed the attack now to call attention to increasing DDoS attacks that have occurred over the last several months.

Ivan Righi, cyber threat intelligence analyst with security firm Digital Shadows, notes that these types of DDoS are likely to increase with the operators becoming more sophisticated.

“Most recently, threats have also evolved to a higher level with the introduction of DDoS extortion campaigns,” Righi tells ISMG. “These campaigns consist of threat actors demanding bitcoin payments from victims and threatening them with impending DDoS attacks. It is realistically possible that we could see these types of threats increase in the future.”

Managing Editor Scott Ferguson contributed to this report.

Week in review: Criminals leveraging Office 365, endpoint attack anatomy, medical devices cybersec

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Critical flaw in SonicWall’s firewalls patched, update quickly! (CVE-2020-5135)
SonicWall patched 11 vulnerabilities affecting its Network Security Appliance (NSA). Among those is CVE-2020-5135, a critical stack-based buffer overflow vulnerability in the appliances’ VPN Portal that could be exploited to cause denial of service and possibly remote code execution.

The anatomy of an endpoint attack
A lot has changed across the cybersecurity threat landscape in the last decade, but one thing has remained the same: the endpoint is under siege. What has changed is how attackers compromise endpoints. Threat actors have learned to be more patient after gaining an initial foothold within a system (and essentially scope out their victim).

CPRA: More opportunity than threat for employers
As companies struggle with their existing compliance requirements, many fear that a new privacy ballot initiative – the California Privacy Rights Act (CPRA) – could complicate matters further.

Cybercriminals are using legitimate Office 365 services to launch attacks
Vectra released its report on Microsoft Office 365, which highlights the use of Office 365 in enterprise cyberattacks.

How to build up cybersecurity for medical devices
Manufacturing medical devices with cybersecurity firmly in mind is an endeavor that, according to Christopher Gates, an increasing number of manufacturers is trying to get right.

October 2020 Patch Tuesday: Microsoft fixes potentially wormable Windows TCP/IP RCE flaw
Microsoft has released patches for 87 CVE-numbered flaws in a variety of its offerings: 11 critical, 75 important, and one of moderate severity. None of the fixed vulnerabilities are currently being exploited, though six of them were previously publicly known.

Three best practices for responsible open source usage in the COVID-19 era
Organizations across both the private and public sector have been turning to open source solutions as a means to tackle emerging challenges while retaining the rapidity and agility needed to respond to evolving needs and remain competitive.

With database attacks on the rise, how can companies protect themselves?
Misconfigured or unsecured databases exposed on the open web are a fact of life. We hear about some of them because security researchers tell us how they discovered them, pinpointed their owners and alerted them, but many others are found by attackers first.

All Zoom users get end-to-end encryption (E2EE) option next week
Zoom users – both those who are on one of the paid plans and those who use it for free – will be able to try out the solution’s new end-to-end encryption (E2EE) option.

GitHub envisions a world with fewer software vulnerabilities
After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.

The brain of the SIEM and SOAR
SIEM and SOAR solutions are important tools in a cybersecurity stack. They gather a wealth of data about potential security incidents throughout your system and store that info for review. But just like nerve endings in the body sending signals, what good are these signals if there is no brain to process, categorize and correlate this information?

Technologies that enable legal and compliance leaders to spot innovations
COVID-19 has accelerated the push toward digital business transformation for most businesses, and legal and compliance leaders are under pressure to anticipate both the potential improvements and possible risks that come with new legal technology innovations, according to Gartner.

As attackers evolve their tactics, continuous cybersecurity education is a must
As the Information Age slowly gives way to the Fourth Industrial Revolution, and the rise of IoT and IIoT, on-demand availability of computer system resources, big data and analytics, and cyber attacks aimed at business environments impact on our everyday lives, there’s an increasing need for knowledgeable cybersecurity professionals and, unfortunately, an increasing cybersecurity workforce skills gap.

Microsoft and partners cut off key Trickbot botnet infrastructure
Two weeks after someone (allegedly the US Cyber Command) temporarily interrupted the operation of the infamous Trickbot botnet, a coalition of tech companies headed by Microsoft has struck a serious blow against its operators.

SaaS adoption prompting concerns over operational complexity and risk
A rise in SaaS adoption is prompting concerns over operational complexity and risk, a BetterCloud report reveals.

In the era of AI, standards are falling behind
According to a recent study, only a minority of software developers are actually working in a software development company. This means that nowadays literally every company builds software in some form or another.

New research shows risk in healthcare supply chain
New research from RiskRecon and the Cyentia Institute pinpointed risk in third-party healthcare supply chain and showed that healthcare’s high exposure rate indicates that managing a comparatively small Internet footprint is a big challenge for many organizations in that sector.

New infosec products of the week: October 16, 2020
A rundown of the most important infosec products released last week.

Ransomware: Would Banning Ransom Payments Mitigate Threat?

Fraud Management & Cybercrime , Governance & Risk Management , IT Risk Management

Here’s Why Stopping the Extortion Epidemic Isn’t Easy

Ransomware: Would Banning Ransom Payments Mitigate Threat? FinCEN says digital forensics, incident response and cyber insurance companies may have to report convertible virtual currency – CVC – payments to ransomware gangs.

Imagine this dystopian future: With ransom payments to cybercrime gangs outlawed by Western governments, a new breed of mercenary navigates the margins.

See Also: Live Webinar | Unlocking the Full Potential of Public Key Infrastructure

These so-called ransomware blade runners negotiate on behalf of organizations hit by network intrusion specialists who have stolen data, left systems encrypted and are threatening to leak the data unless they receive a payoff in monero or another privacy-preserving cryptocurrency. At the same time, they serve as a deniable back channel, helping victims avoid FBI, Treasury and other government investigators on the one hand and, on the other, data-exfiltration snatch artists who are trying to steal or buy the stolen data for their own shakedown purposes.

“I struggle to work out why it’s OK to pay some ransoms but not others.” 

Even without attempting to channel the hard-boiled science fiction of Philip K. Dick or William Gibson, it’s tough to imagine a future in which banning payments to ransomware gangs doesn’t make things worse.

Just to be clear: Organizations are getting hit left, right and center by ransomware-wielding attackers who increasingly threaten to leak, auction or otherwise publicize stolen data to up the pressure on victims to pay a ransom (see: Ransomware: Cybercrime Public Enemy No. 1).

Something must be done to stop the ransomware pandemic – but what?

Into this fray comes the U.S. Treasury Department, which on Oct. 1 issued an advisory (PDF) on “potential sanctions risks for facilitating ransomware payments.”

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” the advisory warns.

The Treasury Department’s Office of Foreign Assets Control – OFAC – enforces economic and trade sanctions based on U.S. foreign policy and national security goals. Organizations and individuals on the OFAC sanctions list include certain nations, international narcotics traffickers, individuals involved in the proliferation of weapons of mass destruction and terrorists.

Sanctions Warning

In general, Americans and everyone else in the world are prohibited by U.S. law from directly or indirectly transacting with any individual or organization on the sanctions list. The Treasury Department also urges any organization or ransomware incident response firm that suspects it might be in negotiations with any “criminals and adversaries with a sanctions nexus” to contact the department immediately.

Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

While the Treasury’s announcement might look like a shot across the bow, legal experts have been warning for years that any organization should consult its attorney before paying a ransom. That’s because making a payment could violate various laws – especially if the money ends up in terrorists’ hands.

As the Treasury makes clear, its new advisory “is explanatory only and does not have the force of law” or modify any existing laws. It references various now-defunct ransomware operations: Cryptolocker – tied to Russian national Evgeniy Mikhailovich Bogachev; SamSam – tied to two Iranians; WannaCry 2.0 – blamed on North Korea; and Dridex malware – tied to Russia-based cybercrime organization Evil Corp and its leader, Maksim Yakubets, as examples of “malicious cyber actors” on its sanctions list.

Of course, at the time such groups were in operation, they were not on any sanctions list.

FinCEN Alert, G-7 Pledge

Also on Oct. 1, the Treasury’s Financial Crimes Enforcement Network released a separate advisory for financial services firms as well as digital forensics and incident response companies and cyber insurance companies.

FinCEN’s Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments

The FinCEN advisory (PDF) warns these organizations that if they handle payments to ransom operators, they may be required to register with FinCEN as a money services business and comply with anti-money laundering regulations, including the Bank Secrecy Act and its requirement for filing suspicious activity reports. These reports can be required when financial institutions are used “to facilitate criminal activity,” such as handling the proceeds from an extortion attack.

On Tuesday, several nations issued a statement pledging to enhance their efforts “at coordinated responses to ransomware, including where possible information sharing, economic measures, and support for effective implementation” of anti-money laundering and anti-terrorism-financing processes. The G-7 statement on ransomware (PDF) notes that, with gangs predominantly requiring payment in virtual currencies, it’s imperative that cryptocurrency exchanges “hold and exchange information about the originators and beneficiaries of virtual asset transfers.”

Giving investigators a better ability to “follow the money” could help law enforcement disrupt more ransomware gangs, including their payment conduits (see: Criminals Still Going Crazy for Cryptocurrency).

In the bigger picture, however, it’s treating a symptom, not the cause. And the problem of what to do about ransomware remains thorny.

During a presentation earlier this month, Ciaran Martin, who until Aug. 31 served as CEO of the U.K.’s National Cyber Security Center – the public-facing arm of the GCHQ intelligence agency – was asked this question (by a secondary school student with an interest in cybersecurity, no less): Is ransomware the biggest threat we face today, and will that change anytime soon?

“Yes, and no,” Martin replied. “Certainly,” he said, ransomware “is the biggest obvious problem” at the moment. “And do I see that changing? No, because it’s too lucrative and too easy.”

‘Lively Debate’ Over Bans

What can be done? Martin, who was speaking at a virtual event organized by the Scottish Business Resilience Center, which helps coordinate better cybersecurity and resiliency practices across the public and private sectors, says there are two ideas he’s particularly keen to explore: “One is trying to get insurance to work properly” and ensuring that victims aren’t simply paying out all the time. “And the other is about the law,” he said.

[embedded content]

Ciaran Martin, professor of practice in the management of public organizations at Oxford University’s Blavatnik School of Government, delivers a virtual presentation for the Scottish Business Resilience Center on Oct. 7.

Recently, there’s been a “lively debate” about whether the law should be changed to try to better counter ransomware schemes, he said. “I’m not completely convinced that banning ransom payments is the right thing to do, but … [under] U.K. law, if it’s a prescribed terrorist organization campaign you can’t pay, but if it’s what we used to call in Northern Ireland the ‘ordinary decent criminal,’ it’s fine. That doesn’t really make sense.”

Likewise, the recent U.S. Treasury warning emphasizes that, if you pay a ransom to a sanctioned individual or organization, then you could face financial or criminal penalties.

“I struggle to work out why it’s OK to pay some ransoms but not others. In the U.K.’s case, it’s the result of the law being designed to prevent the payment of ransoms to terrorist groups and kidnappings from in the noughties [the decade from 2000 to 2009] … when there were some horrible incidents in places like Mali and Syria and Iraq and that sort of thing,” Martin says.

But government sanctions aren’t going to stop ransomware. If need be, desperate organizations might attempt to use attorney-client privilege and intermediaries – aka cut-outs or mercenaries – to pay ransoms in exchange for the promise of a decryption tool, especially if the alternative is to go out of business.

Cybersecurity Community: Call to Arms

In fact, Martin – who’s now professor of practice in the management of public organizations at Oxford University’s Blavatnik School of Government – says it’s not clear that governments will be key to solving the ransomware problem. Rather, better solutions will hopefully come via the cybersecurity community.

“Certainly one of the frustrations of my last year in government was that there was an awful lot of attention on stuff like 5G and so on, and rightly so,” he said. “But [fighting] ransomware needs a sustained effort, and that should be a big focus of the cybersecurity community as well, and it doesn’t necessarily have to be – or indeed should be – government-led.”

Supply Chain Risk Management: Areas of Concern

Many healthcare organizations are failing to address shortcomings in security risk management for their supply chains, says former healthcare CIO David Finn, describing findings of a recent study assessing the state of cybersecurity in the sector.

“The supply chain risk assessment really has to start before you make a final decision” about bringing onboard a vendor, says Finn, executive vice president at the privacy and security consultancy CynergisTek.

“We very rarely see security and risk management as part of a request for proposal,” he says in an interview with Information Security Media Group. “And that really needs to be cooked into the process when you’re looking for a vendor, particularly if it’s a vendor that is going to have access to your technology resources, or more critically, your electronic health information or other patient information.”

Other Trends

Supply chain concerns were among a host of disturbing trends identified in the recent CynergisTek study examining healthcare risk management practices and the state of cybersecurity in the sector.

For example, the analysis found many healthcare sector entities “sliding backward” from 2017 to 2019 in implementing practices called for by the National Institute of Standards and Technology’s cybersecurity framework, Finn notes.

“To see the decline in 2019 numbers and then see this rapid expansion of the attack surface [amid the pandemic in 2020] … it’s really a scary situation for us to find ourselves in,” he says.

In the interview (see audio link below photo), Finn also discusses:

  • Other trends identified in the study;
  • Security challenges facing healthcare entities undergoing a merger or acquisition;
  • Advice for improving security risk management programs.

Finn, executive vice president of strategic innovation at CynergisTek, previously was health IT officer at security vendor Symantec. Prior to that, he was CIO and vice president of information services at Texas Children’s Hospital, where he also served as the privacy and security officer. He has more than 30 years of experience in the planning, management and control of IT and business processes.

British Airways' GDPR Fine Dramatically Reduced

General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

Fined $26 Million in Connection With 2018 Breach

British Airways' GDPR Fine Dramatically Reduced

Britain’s Information Commissioner’s Office announced this week a dramatic reduction in its fine against British Airways for violating the EU’s General Data Protection Regulation.

See Also: Live Webinar | Unlocking the Full Potential of Public Key Infrastructure

The ICO finalized a fine of nearly 20 million pounds ($26 million) in connection with a 2018 data breach that exposed the personal information of about 430,000 customers. It had announced in July 2019 that it intended to impose a penalty of 184 million pounds ($238 million) on British Airways, which is owned by the Madrid-based International Airlines Group (see: British Airways Faces Record-Setting $230 Million GDPR Fine).

“As part of the regulatory process, the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty,” the ICO said this week.

Lack of Security Protocols

At the time of the breach, British Airways did not have the proper security protocols in place to protect the large amount of personal data it processes and stores, the ICO says. The breach, which exposed credit card information and employee login credentials, went undetected for two months, according to the agency.

“People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA a £20m fine – our biggest to date,” says ICO Commissioner Elizabeth Denham.

A British Airways spokesperson tells Information Security Media Group: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations. We are pleased the ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully cooperated with its investigation.”

André Bywater, a partner at London-based law firm Cordery, says the reduced fine imposed on British Airways “should not deter organizations from taking data security seriously. Further, organizations should also bear in mind that class-action [lawsuits] for compensation may yet add to the final bill in cases like this one.”

Breach Detection Delay

ICO expressed concern that the airline failed to detect the breach and was informed of it by a third party more than two months after the attack.

“It is not clear whether or when BA would have identified the attack themselves,” the ICO report states. “This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”

Bywater says companies must have top-level organizational and technical measures in place to defend against breaches.

“They must have a first-rate strategy and proper tools in place for responding quickly when these incidents do happen. Those processes and procedures should be tested regularly,” he says.

Magecart Suspected

Immediately after British Airways announced the breach in 2018, security firm RiskIQ reported it was likely a Magecart-style attack, which involves placing a JavaScript skimmer in the target’s e-commerce checkout system to scrape customer payment data as it’s entered (see: RiskIQ: British Airways Breach Ties to Cybercrime Group).

Groups under the Magecart umbrella are thought to be responsible for dozens of attacks over the last five years, including those targeting Macy’s, Wawa and Newegg.

The ICO estimates nearly 430,000 British Airways’ customers and staff were potentially affected by the breach, with 244,000 possibly having their names, addresses, payment card numbers and CVVs compromised.

Usernames and passwords of employee and administrator accounts were also exposed, as well as usernames and PINs of up to 612 BA Executive Club accounts.

Live Event: CISO Perspectives on Distributed Workforce and Post-pandemic Enterprise

Business Continuity Management / Disaster Recovery , CISO Trainings , Cloud Security

Live Event: CISO Perspectives on Distributed Workforce and Post-pandemic Enterprise

The distributed workforce, combined with the need to modernize and improve operational efficiency, has reframed digital transformation priorities and introduced new areas of risk to today’s enterprise. In light of ongoing macroeconomic demands, the CISO is facing increasing pressure to deliver value.

If organizations fail to establish new digital transformation strategies to secure their distributed workforce, they could increase chance of successful attacks, fall into non-compliance and suffer financial and reputational losses. Conversely, organizations could focus on the wrong areas of cybersecurity, wasting precious resources on ineffective solutions. For CISO’s, walking this tightrope in 2021 will be an ongoing challenge.

Register now for this unique, interactive event when we will share the results of ISMG and Skybox Security’s new Global Distributed Workforce Survey and discuss the following, including:

  • How confident are security leaders in maintaining a holistic view of their organization’s attack surface?
  • What risks are most concerning about the increased hybrid model of working?
  • How confident are security leaders that changes were properly validated so as not to lead to security issues?
  • What trade-offs were made in terms of deprioritizing certain organizational policies order to enable the remote workforce?

'Black Box' and Physical Attacks Against ATMs Surge

ATM / POS Fraud , Finance & Banking , Fraud Management & Cybercrime

Physical Attacks Increase in US; ATM Malware and Logical Attacks Rise in Europe

'Black Box' and Physical Attacks Against ATMs Surge

Criminals have been seeking innovative new ways to steal cash from ATMs across the United States and Europe.

See Also: Live Webinar | Unlocking the Full Potential of Public Key Infrastructure

In the United States, Atlanta-based ATM manufacturer NCR warns that it’s seen a surge in physical attacks against ATMs. It has urged operators to bring better defenses to bear, potentially including armor for ATMs as well as using ink or glue to “degrade” the value of stolen cash.

In Europe, meanwhile, attackers are increasingly plugging devices into ATMs designed to tell a machine to spit out all of the cash stored in its safe.


The European Association for Secure Transactions, or EAST, reports that while most types of ATM attacks have recently declined in Europe, ATM malware and logical attacks against ATMs have surged. While EAST counted 35 such attacks in the first half of 2019, there were 129 such attacks – a 269% increase – in the first half of this year (see: Diebold Nixdorf: ATMs in Europe Hacked). Losses due to such attacks rose from less than 1,000 euros ($1,200) the first half of last year, to just over 1 million euros ($1.2 million) this year. All of these attacks involved the use of so-called “black boxes.”

“A black box attack is the connection of an unauthorized device which sends dispense commands directly to the ATM cash dispenser, in order to ‘cash-out’ or ‘jackpot’ the ATM,” EAST notes (see: No Card Required: ‘Black Box’ ATM Attacks Move Into Europe).

Black box attacks typically require that criminals have physical access to an ATM and time to remove access panels to plug in their device and execute the attack.

In Europe, terminal-related fraud attacks – which include physical skimming devices designed to steal card data – decreased by 66% from the first half of 2019 to the first half of this year, although total losses only decreased by 12%, from 124 million euros ($145.3 million) to 109 million euros ($127.8 million), EAST reports.

In the same timeframe, “card skimming fell to another all-time low – down from 731 to 321 incidents – and transaction reversal fraud at ATMs decreased by 97%, down from 3,405 to just 108 incidents,” according to EAST. Transaction reversal fraud typically involves an attacker manipulating the cash dispenser to trigger a fault, which the operator interprets as money not having been dispensed when it actually has.

“Overall crime at terminals has decreased during the lockdown phase of the pandemic,” says EAST Executive Director Lachlan Gunn. “While this rise in black box attacks is of concern, most such attacks remain unsuccessful.”

Gunn notes that such attacks are the focus of EAST’s Expert Group on All Terminal Fraud, which involves both private organizations and law enforcement.

Although physical attacks in Europe are declining, losses are growing. Comparing the first half of 2019 with the first half of this year, the number of such attacks declined by 23%, from 2,376 to 1,829, primarily due to a decrease in ram raids and ATM burglary. But in the same timeframe, the losses increased by 11%, from 11.4 million euros ($13.4 million) to 12.6 million euros ($14.8 million), primarily driven by a rise in losses due to explosive and gas attacks.

Physical Attacks Against ATMs Rise in U.S.

Earlier this month, NCR warned that it had tracked a wave of physical attacks against ATMs in the U.S. over the first half of this year. At first, such attacks were restricted to a few regions, but they later expanded nationwide and have targeted devices from numerous manufacturers.

“The attacks average only five or six minutes onsite with losses exceeding $120,000 per unit,” NCR said in a security advisory.

The physical attacks fall into three categories:

  • Attacking the safe door: Attackers “attach hooks or chains to the ATM safe door” on one side and a heavy-duty vehicle on the other, “then drive off at high speed to attempt to pull the door off,” NCR says. The company has released reinforcement kits that remove places where hooks can be attached, and it recommends adding additional physical barriers – such as security gates – to restrict access.
  • Explosives: These are being used both to breach the safe as well as for vandalism. “Both forms of attack have increased over the summer and throughout the period of civil unrest, mass public protests and gatherings in the U.S.,” NCR says, noting that it has released a new type of explosive-resistant safe designed for island drive-up ATMs.
  • Pulling out ATMs: Attackers can pull ATMs off of their bases and take them elsewhere to breach them. Better anchoring systems and security gates can help block these types of attacks as well as serve as visual deterrents, NCR says.

For all of these types of attacks, NCR recommends operators use “cash degradation systems in the form of ink solutions which will ultimately ‘spoil the prize’ and permanently stain the banknotes to reduce their value if a unit is attacked.”

Brazil provides an example of how effective countermeasures can successfully block physical attacks, NCR says. “Brazil had 1,027 physical attacks across their ATM estates in 2018 – 11 of which were solid explosive attacks,” it says. Compare that to previous years, “where they were experiencing up to 240 solid attacks per year, circa 2011, and over 35,00 physical attacks per year, circa 2013,” it says. “Countermeasures, such as ink staining systems implemented by banks in this region, have helped to bring the overall number of attacks down year on year. “

Slowing Attacks Down Remains Key

NCR says attackers will continue to devise new ways to target ATMs.

“We can never expect criminals to leave ATMs alone. Criminals will continue to modify their attacks and attempt new kinds in one market and expand them to others. And physical attacks are on the rise,” NCR says. “The only real defense is to stay proactive in securing your ATMs. No one solution fits all types of attacks, so layering up, slowing down the attack and working with local law enforcement are key to success.”

For Sale: 3 Million Cards Used at Dickey's Barbeque Pit

Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Joker’s Stash Darknet Marketplace Offering Payment Cards Used at Franchise Restaurants

For Sale: 3 Million Cards Used at Dickey's Barbeque Pit Joker’s Stash advertisement for the sale of ‘BlazingSun’ group of stolen cards (Source: Gemini Advisory)

The Joker’s Stash darknet marketplace has posted a fresh collection of 3 million credit cards that are likely related to a breach of the Dickey’s Barbecue Pit chain of franchised restaurants, according to Gemini Advisory.

See Also: Live Webinar | Unlocking the Full Potential of Public Key Infrastructure

The new collection, called “BlazingSun,” was posted Monday on the Joker’s Stash carding site, and Gemini Advisory says it confirmed the authenticity of the data before publishing its report Thursday.

The darknet marketplace had been advertising in recent weeks that the data from the Dickey’s Barbecue Pit breach would be posted soon, Gemini Advisory reports.

The data is from both track 1 and track 2 or cards, which can include the cardholder name, account number, expiration date and bank identification number. It apparently comes from cards used at restaurants in 30 states as well as some international locations, according to the report. The data appears to have been stolen between July 2019 and August. Joker’s Stash is now selling the information for a median price of $17 per card.

A spokesperson for Dickey’s Barbecue Pit tells Information Security Media Group that the company is aware of the report that card data is for sale and has contacted third-party security firms as well as the FBI to investigate.

“We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved,” the spokesperson says.

More to Come?

Back in January, Joker’s Stash posted for sale 30 million payment cards related to a breach at the Wawa convenience store chain (see: Wawa’s Stolen Payment Cards Are Now for Sale).

“The marketplace advertised this [Wawa] breach as containing 30 million records, and as of this writing, it continues to add compromised cards,” according to the Gemini Advisory report this week. “Since the breach first appeared in January 2020 and continues to add records 10 months later, the BlazingSun [Dickey’s card listing] may follow a similar timeline of several months.”

Security Shortcomings

The source of the breach data from Dickey’s Barbecue Pit restaurants is not known.

“Dickey’s operates on a franchise model, which often allows each location to dictate the type of point-of-sale device and processors that they utilize,” the report states. “However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations,” according to the report.<.p>

“Gemini sources have also determined that the payment transactions were processed via the outdated magstripe method, which is prone to malware attacks.”

Dickey’s Barbecue Pit oversees 469 restaurant franchise restaurants across 42 states. The Gemini Advisory report estimates that 156 of these locations in 30 states appear to have been compromised, with the highest exposure in California and Arizona, according to the report.

(Source: Gemini Advisory)

The Gemini Advisory report noted that Dickey’s Barbecue Pit sustained a ransomware attack in 2015, and the company ended up paying a $6,000 ransom. In 2018, the then-CEO wrote a blog post promising to update and improve the company’s security practices.

Other Stolen Data for Sale

Over the last several months, Joker’s Stash also has advertised a collection of nearly 400,000 payment cards issued by banks in the U.S. and South Korea for approximately $5 each, according to the security firm Group-IB (see: Joker’s Stash Sells Fresh US, South Korean Payment Cards ).

20 Arrested in Money-Laundering Crackdown

Anti-Money Laundering (AML) , Fraud Management & Cybercrime , Fraud Risk Management

Group Allegedly Laundered Cash, Cryptocurrency for Other Cybercriminals

20 Arrested in Money-Laundering Crackdown Map of arrests of alleged QQAAZZ members (Source: Europol)

An international law enforcement operation involving 16 countries has resulted in the arrest of 20 individuals suspected of belonging to the QQAAZZ criminal network, which helped launder cash and cryptocurrency for other cybercriminals, according to the U.S. Justice Department and Europol.

See Also: Live Webinar | Unlocking the Full Potential of Public Key Infrastructure

A U.S. federal grand jury indictment unsealed Thursday charges 14 individuals from Georgia, Romania, Latvia, Bulgaria and Belgium with providing money-laundering services to high-level cybercriminals. Six others were previously arrested and charged with money laundering, according to the Justice Department.

The money laundering charges carry a possible 20-year federal prison sentence, according to the Justice Department.

The latest arrests came after more than 40 house searches spread across Latvia, Bulgaria, the U.K., Spain and Italy. The largest number of house raids were conducted in Latvia. Bitcoin mining equipment was seized in Bulgaria, according to Europol.

“QQAAZZ advertised its services as a ‘global, complicit bank drops service’ on Russian-speaking online cybercriminal forums where cybercriminals gather to offer or seek specialized skills or services needed to engage in a variety of cybercriminal activities,” according to the Justice Department.

Criminal organizations that allegedly used QQAAZZ’s money-laundering skills include those gangs operating well-known malware, such as Dridex, Trickbot and GozNym, the Justice Department reports (see: Two Russians Indicted Over $100M Dridex Malware Thefts).

Allegations Against QQAAZZ

U.S. authorities allege the QQAAZZ network laundered, or attempted to launder, tens of millions of dollars stolen from cybercrime victims since 2016.

The QQAAZZ cybercrime group comprises individuals from more than a dozen countries, according to Europol.

The group registered dozens of shell companies it used to open hundreds of corporate bank accounts at financial institutions in several countries, including the U.K., Portugal, Spain, Germany, Belgium, Turkey and the Netherlands, according to the court documents. These accounts were used to receive and launder stolen money, the Justice Department alleges.

“The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using ‘tumbling’ services designed to hide the source of the funds. After taking a fee of up to 40% to 50%, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele,” according to the Justice Department.

U.S. victims that had money stolen include several Pittsburgh banks, a Jewish orthodox synagogue in Brooklyn and a medical device manufacturer in York, Pennsylvania, prosecutors say.

Earlier Arrests

In January, the U.S. Department of Justice indicted five Latvian nationals on charges of providing money-laundering services for cybercriminals as part of QQAAZZ. One of the men indicted, Aleksejs Trofimovics, was alleged to have run a virtual currency exchange website that was seized by law enforcement in 2017.

In April, the FBI arrested a Russian national for allegedly helping QQAAZZ launder money by turning cash into bitcoin and other cryptocurrencies (see: FBI Alleges Russian Man Laundered Cybercriminals’ Money). Maksim Boiko was arrested by FBI agents on March 28 in Miami and is in federal custody.

Arkady Bukh, a Brooklyn-based attorney representing Boiko, tells Information Security Media Group that his client has pleaded not guilty and likely will face trial next year.

Come on, Amazon: If you’re going to copy open-source code for a new product, at least credit the creator

On Thursday, Amazon Web Services launched CloudWatch Synthetics Recorder, a Chrome browser extension for recording browser interactions that it copied from the Headless Recorder project created by developer Tim Nolet.

It broke no law in doing so – the software is published under the permissive Apache License v2 – and developers expect such open-source projects will be copied forked. But Amazon’s move didn’t win any fans for failing to publicly acknowledge the code’s creator.

There is a mention buried in the NOTICE.txt file bundled with the CloudWatch extension that credits Headless Recorder, under its previous name “puppeteer-recorder,” as required by the license. But there’s an expectation among open source developers that biz as big as AWS should show more courtesy.

“The core of the problem here (for me at least) is not the letter of the license, it’s the spirit,” said Nolet in a message to The Register.

“It’s the fact that no one inside of AWS cared enough to stop and think ‘is this a dick move? Is this something I would want to have happen to me?’ Hence the current PR damage control campaign. They know it’s wrong. Not illegal, but wrong. Someone just had to tell them that.”

Nolet runs a software monitoring service called Checkly and developed the Headless Recorder browser extension as a tool for his company and customers. He said he hadn’t given the license for Headless Recorder a lot of thought because it’s just a browser extension full of client-side code – meaning it’s visible to anyone familiar with browser development tools.

“Amazon should have opened a PR [pull request] and proposed ‘let’s add this feature to your code. Or they could have simply kept their fork open source,” he said.

“In the least, they could have mentioned that their work was based on my work. I do this in the of the project itself where I acknowledge the creators of an old project by that I used as inspiration.”

empty room serverless

AWS cooks up Extensions API for Lambda serverless platform: Useful for monitoring, alerting


This is not the first time AWS has taken the work of open source developers and turned it into an AWS product. Last year, it launched Open Distro for Elasticsearch, to the dismay of Elasticsearch, a company formed to make a business out of the Elasticsearch open source project. And earlier that year it released DocumentDB, based on an outdated version of the open source MongoDB code.

Many popular open source licenses allow this, but because AWS brings billions in infrastructure assets into the competition, smaller companies trying to commercialize open source projects find the challenge difficult to deal with.

Such behavior – taking without giving back, or at least giving thanks – has been a concern for the past few years and has led to experiments with “cloud protection licenses” designed to deter cloud providers from co-opting public software projects. Just last month, database maker TimeScale adopted a new source-available license called the Timescale License (TSL) as a defense against AWS and its peers.

Late last year, in response to a New York Times article about how AWS copies and integrates software pioneered by others, AWS VP Andi Gutmans criticized the report. He pointed to the many open source projects that have received code contributions from AWS developers and insisted, “AWS has not copied anybody’s software or services.”

The Register asked Amazon PR and Matt Asay, head of Open Source Strategy and Marketing for AWS, for comment. But we’ve not heard back.

Via Twitter, Asay expressed concern about the handling of the CloudWatch extension launch and said he would look into it. And in a comment posted to Hacker News, he sounded similarly contrite.

“AWS uses a lot of open source, and we contribute a lot, both in terms of code (first-party projects like Firecracker and Bottlerocket, but also third-party projects like Redis, GraphQL, Open Telemetry, etc.), testing, credits, foundation support, and more,” he said.

“But open source is ultimately about people and communities, and I personally feel we could have done more to acknowledge the great work Tim and his co-maintainers have done, and try to support their Headless Recorder work. We’re talking with Tim now about this.”

Nolet confirmed this and said he believes AWS is sincere in its desire to make amends. “They screwed up and we’re going to work something out,” he said. “What that is, I have no idea yet.” ®

Top doctors slam Google for not backing up incredible claims of super-human cancer-spotting AI

Distinguished doctors have publicly criticized Google and others for making grand claims about AI research and then not sharing the source code and models to let others replicate and verify the experiments.

In January, a team led by Google Brain’s Scott Mayer McKinney published a paper in Nature boasting that its artificial intelligence was better than human doctors at spotting breast cancer in mammograms. The claims were widely reported in the mainstream press. Now top doctors have complained in an article published this week in Nature that the Googlers haven’t backed up their claims with usable evidence.

“On paper and in theory, the McKinney et al study is beautiful,” said Dr Benjamin Haibe-Kains, senior scientist at Canada’s Princess Margaret Cancer Centre and first author of the article. “But if we can’t learn from it then it has little to no scientific value.”

“Without the computer code and fitted model, it will be very difficult to build on their work,” Haibe-Kains told The Register.

“Replicating their model is not impossible but it will take months without any guarantee that the newly generated model will even be close to theirs even with access to all the data they used for training. The Devil is in the details.”

Without the computer code and fitted model, it will be very difficult to build on their work

For example, information on the system’s hyperparameters and the training pipeline were not included in the paper. Researchers should publish the relevant source code so that claims can be verified and tested more easily, Haibe-Kains said. It’s just good science to do so.

As well as Haibe-Kains, 22 other experts from top institutions – including the University of Toronto, Stanford University School of Medicine, MIT, Brigham and Women’s Hospital, and the Massive Analysis Quality Control Society, a group dedicated to reproducible science – put their names to the article. Haibe-Kains and his colleagues said Google’s “publication of insufficiently documented research does not meet the core requirements underlying scientific discovery.”

“Merely textual descriptions of deep-learning models can hide their high level of complexity. Nuances in the computer code may have marked effects on the training and evaluation of results, potentially leading to unintended consequences. Therefore, transparency in the form of the actual computer code used to train a model and arrive at its final set of parameters is essential for research reproducibility,” they wrote.

It’s not difficult to release the source code, such as publishing it on sites like GitHub, GitLab, or Bitbucket, they recommended. There’s now a tab to papers on the pre-print service arXiv to their associated source code, too.

It’s true that deploying the models on actual systems is trickier, though there is software that can make that process easier, such as Docker, Code Ocean, Gigantum, and Colaboratory.

“It’s important to state that this is early stage research,” a Google spokesperson told The Register. It appears the web giant doesn’t want its source code to be released until it’s gone through a QA process due the medical nature of the project: “We intend to subject our software to extensive testing prior to its use in a clinical environment, working alongside patients, providers and regulators to ensure efficacy and safety,” the spokesperson said.

It’s not just the internet giant

Haibe-Kains said this problem of withheld code isn’t specific to Google; many scientific papers on the uses of AI written by all sorts of teams lack the material to recreate their experiments. “Researchers are more incentivized to publish their findings rather than spend time and resources ensuring their study can be replicated,” he said.

“Journals are vulnerable to the ‘hype’ of AI and may lower the standards for accepting papers that don’t include all the materials required to make the study reproducible – often in contradiction to their own guidelines.”

Holding back crucial details, such as the source code used to create the machine-learning software, in research is detrimental to scientific progress, and prevents the algorithms from being tested in the real world in clinical settings.


Don’t trust deep-learning algos to touch up medical scans: Boffins warn ‘highly unstable’ tech leads to bad diagnoses


The McKinney team hit back, politely, at the doctors’ article in a response published in Nature, thanking the experts for their “thoughtful contribution.”

“We agree that transparency and reproducibility are paramount for scientific progress,” they wrote. “We agree that transparency and reproducibility are paramount for scientific progress. In keeping with this principle, the largest data source used in our publication is available to the academic community.”

Yet they will not publish the code to their algorithms, and claimed that most of the components in the model are open to the public already, many of them released by Google itself. There are also other concerns.

“Because liability issues surrounding artificial intelligence in healthcare remain unresolved, providing unrestricted access to such technologies may place patients, providers, and developers at risk,” the Googlers stated. “In addition, the development of impactful medical technologies must remain a sustainable venture to promote a vibrant ecosystem that supports future innovation. Parallels to hardware medical devices and pharmaceuticals may be useful to consider in this regard.”

Because liability issues surrounding artificial intelligence in healthcare remain unresolved, providing unrestricted access to such technologies may place patients, providers, and developers at risk

Haibe-Kains told El Reg he isn’t surprised Google has decided to not publish the code, despite numerous pleas: “They have been given the opportunity once with the publication of their original study, and a second time with the publication of our article. They have not seized these opportunities, it is, therefore, clear that they do not want to share their computer code.”

It’s possible that Google might be holding back the code for commercial reasons. By keeping it to themselves, the ad giant has the upper-hand for pushing forward clinical trials and developing a product that can be sold to healthcare providers.

“There is nothing wrong with this, but it has little to do with science per se, as no new knowledge outside Google is being generated and shared to advance research at large,” Haibe-Kain told us. “There is a darker possibility that I prefer not to believe in: it does not want anybody to scrutinize its code because it is concerned that its model is not stable or that there might be hidden biases or confounding factors that would invalidate the model’s prediction.

“This would not be the first time that subsequent analyses reveal such limitations or errors and that is exactly why we scientists should always be transparent.” ®

Friday Squid Blogging: Chinese Squid Fishing Near the Galapagos

Friday Squid Blogging: Chinese Squid Fishing Near the Galapagos

The Chinese have been illegally squid fishing near the Galapagos Islands.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Software billionaire accused of hiding $2bn in income from IRS – potentially the largest tax scam in US history

The US Justice Department on Thursday charged billionaire software tycoon Robert Brockman with tax evasion, wire fraud, money laundering, and other offenses.

Brockman, 72, of Houston, Texas, and Pitkin County, Colorado, is the CEO of auto-dealership software maker Reynolds & Reynolds. He is alleged to have participated in a two-decade-long scheme to hide $2bn in income from the US Internal Revenue Service (IRS). The prosecution is said to be the largest individual tax case in US history.

“As alleged, Mr Brockman is responsible for carrying out an approximately two billion dollar tax evasion scheme,” said Jim Lee, Chief of Criminal Investigation for the IRS, in a statement.

“IRS Criminal Investigation aggressively pursues tax cheats domestically and abroad. No scheme is too complex or sophisticated for our investigators. Those hiding income or assets offshore are encouraged to come forward and voluntarily disclose their holdings.”

Nonetheless, data suggests IRS scrutiny of the wealthy is disproportionately low. ProPublica last year reported that in 2018 millionaires were roughly 80 per cent less likely to be audited than they were in 2011.

Australian money at a crime scene

Architect of tech contractor tax fraud scheme jailed for at least five years


Brockman, a former IBM salesperson who later founded Universal Computer Services, Inc, which subsequently merged with Reynolds & Reynolds, is said to have tried to conceal income earned from investments in a private equities fund from tax authorities. He is also accused of fraudulently obtaining about $67.8m in debt securities.

According to the government’s indictment [PDF], Brockman created a complex network of offshore companies and trusts to conceal his income and designated various individuals to oversee these entities. To communicate with these people, he “created and used a proprietary, encrypted email system,” and used a series of angling-oriented code names – he was “Permit” or “Permit1” and his associates had names like “Redfish,” “King,” “Bonefish,” “Snapper,” and “Steelhead.” It’s claimed he referred to the IRS in these encrypted messages as “the house.”

Concerned about being caught, he is said to have directed one of his associates to purchase a software program called “Evidence Eliminator.”

The indictment also alleges that Brockman went so far as to store old reams of paper for copy machines and laser printers in order to create more convincing backdated documents.

“[W]e need to also remember that all copy machine/laser printer paper has encoded into it the manufacturer of that paper as well as the year and month of manufacture,” he said, according to the indictment. “For that reason I always set aside some packets of copy paper with dates on them – for potential future use.”


Around 2016, the indictment claims, Brockman came to believe that one of the companies involved in the alleged scheme would be subject to scrutiny by US authorities and began trying to obstruct investigators by destroying evidence that might link him to Point Investment, Ltd, and a network of other entities. He or his associates, it’s claimed, destroyed documents with shredders and smashed electronic media with hammers to destroy data.

Efforts to conceal the alleged scheme appear to have been undone by the testimony of a cooperating witness. In a news conference on Thursday, David Anderson, US attorney for the Northern District of California, revealed that the case against Brockman is supported by the assistance of Robert Smith, the founder of Vista Equity Partners, a San Francisco-based investment firm that is said to have helped Brockman move money around. Smith has entered into a non-prosecution agreement with the government.

Brockman on Thursday pleaded not guilty on all counts and has been released on a $1m bond. Reynolds & Reynolds insists it’s not involved in the case.

“The allegations made by the Department of Justice focus on activities Robert Brockman engaged in outside of his professional responsibilities with Reynolds & Reynolds,” a spokesperson for Reynolds & Reynolds said in response to an inquiry from The Register. “The company is not alleged to have engaged in any wrongdoing, and we are confident in the integrity and strength of our business.”

The Register understands that Brockman is working with external legal counsel and continues to serve as CEO of Reynolds & Reynolds. ®