Disinformation campaigns can spread like wildfire on social media

76% of Americans believe they’ve encountered disinformation firsthand and 20% say they’ve shared information later shown to be incorrect or intentionally misleading, according to a research released by NortonLifeLock.

disinformation campaigns

Disinformation, or false information intended to mislead or deceive people, is commonly spread by social media users and bots – automated accounts controlled by software – with the intent to sow division among people, create confusion, and undermine confidence in the news surrounding major current events, such as the 2020 U.S. presidential election, COVID-19 and social justice movements.

“Social media has created ideological echo-chambers that make people more susceptible to disinformation,” said Daniel Kats, a senior principal researcher at NortonLifeLock Labs.

“Disinformation campaigns can spread like wildfire on social media and have a long-lasting impact, as people’s opinions and actions may be influenced by the false or misleading information being circulated.”

Fact-checking stop the spread of disinformation

No matter who or what posts the information, fact-checking is a best practice for consumers to help stop the spread of disinformation. According to the online survey of more than 2,000 US adults, 53% of Americans often question whether information they see on social media is disinformation or fact.

86% of Americans agree that disinformation has the ability to greatly influence someone’s opinion, but 58% acknowledge that disinformation could influence them.

Although 82% of Americans are very concerned about the spread of disinformation, 21% still say social media companies do not have the right to remove it from their platform, with Republicans being almost twice as likely as Democrats to feel this way (25% vs. 13%).

“From disinformation campaigns to deepfakes, it’s becoming increasingly difficult for people to tell real from fake online,” added Kats. “It’s important to maintain a healthy dose of skepticism and to fact check multiple sources – especially before sharing something – to help avoid spreading disinformation.”

OPIS

Additional findings

  • More than a third of Americans don’t know the true purpose of disinformation. Only 62% of Americans know that disinformation is created to cause a divide or rift between people; 72% of both Republicans and Democrats believe disinformation is created for political gain.
  • 79% of Americans believe social media companies have an obligation to remove disinformation from their platforms, with the majority of Democrats (87%), Republicans (75%) and Independents (75%) supporting this.
  • Democrats and Republicans disagree on who spreads disinformation the most, with Republicans most commonly stating news media outlets are most likely to spread disinformation (36%), and Democrats stating it’s U.S. politicians (28%).
  • Disinformation has taken a toll on relationships, with many Americans having argued with someone (36%), unfriended/unfollowed someone on social media (30%), or taken a break from social media altogether (28%) because of disinformation.

Political campaigns adopt surveillance capitalism at their own peril

Since the middle of the 20th century, commercial advertising and marketing techniques have made their way into the sphere of political campaigns. The tactics associated with surveillance capitalism – the commodification of personal data for profit as mastered by companies like Google and Facebook – have followed the same path.

surveillance capitalism

The race between competing political campaigns to out-collect, out-analyze and out-leverage voter data has raised concerns about the damaging effects it has on privacy and democratic participation, but also about the fact that all of this data, if seized by adversarial nation-states, opens up opportunities for affecting an election and sowing electoral chaos.

Let’s start by looking at the information available to political campaigns. Typically, everything begins and ends with the voter file, which is a compendium of information that’s rooted in public data about an individual voter, including their party affiliation and voting frequency. The goal for political operatives is to continually enrich this information and to do so better and faster than their political rivals.

Campaign field workers add to voter files with written notes reflecting conversations with and observations of actual voters. But the real magic happens when this data is augmented with other datasets that are purchased directly from a data broker or shared from outside political groups through the national party’s data exchange.

Consumer information supplied by data brokers typically draws from voters’ digital activities (such as smartphone app activity) as well as offline activities (like credit card purchases), often presenting hundreds of attributes. In addition to data on things like income and occupation, additional datapoints enable campaigns to infer a variety of lifestyle preferences and attitudes.

Within this category of consumer information, voters’ location histories have an outsized value to campaigns. For monetization purposes, many popular smartphone apps, with users’ permission, track their locations and then make this data available to data brokers or advertisers. This location data can reveal extremely private information, including where an individual lives and how often they attend religious services. Though the data is meant to be anonymous, companies can tie the data to an individual’s identity by matching their smartphone’s advertising ID number or their presumed home address with other information.

In addition to purchased data, presidential campaigns have another tool for getting information directly from supporters: the campaign app. These apps allow candidates to speak directly to voters and are intended to increase engagement through gamification or other means. But perhaps the more important driver is that these apps can serve as a huge source of data. The Trump 2020 app, for example, makes extensive permission requests, including for access to a smartphone’s identity and Bluetooth. The app can potentially sniff out much of the information on a user’s device, including their app usage.

With this trove of data at their disposal, the next step for campaigns is to combine the various datasets together into a single voter list, matching specific voters to the commercial data provided. The data is then run through custom-built models, the end result of which is that voters are put into granular segments and scored on certain issues.

Armed with these insights, campaigns can then find the voters they need to target, including voters who are potentially receptive but currently disengaged and voters who previously supported the candidate or party but have lost enthusiasm. Campaigns can also use their data learnings to boost turnout among decided voters, to register unregistered voters and even to suppress support for the opposition candidate.

But despite the value of this data to campaigns, securing it isn’t always a priority. The reality is that political campaigns are fast-moving operations where the focus is on reaching voters and raising money, not cybersecurity. As just one example of this poor data stewardship, close to 15 million records on Texas voters were found on an exposed and unsecured server just months before the 2018 midterm elections.

If another country were looking to meddle in our elections, such data could potentially be stolen and then weaponized in ways that could tip the scales for one preferred candidate or simply undermine democratic principles.

Some scenarios include:

  • The adversarial country dumps the stolen voter data online, creating a liability for the campaign from which the data was stolen (or at the very least, creating a distraction from the campaign’s messaging).
  • In an attempt to silence the opposing campaign’s high-profile supporters, the adversary doxes them using embarrassing or intensely private details gleaned from the stolen data.
  • The adversary spoofs the opposing campaign through text message, sharing disinformation about the candidate or the voting process directly to the candidate’s cadre of supporters.
  • Using a political action committee as a front, the adversary sets up a massive digital advertising scheme microtargeted to the opposition candidate’s softer supporters with messages designed to chip away at their enthusiasm for voting.
  • Leveraging psychometric insights from the stolen data, the adversary finds the opposing campaign’s ardent supporters who may be most susceptible to manipulation and then, posing as the campaign, lures the supporters into actions designed to make the campaign seem guilty by association once publicized.

In retrospect, the harvesting of data popularly associated with Cambridge Analytica wasn’t an aberration so much as it was a harbinger of the digital arms race to come in electoral politics, a race to gather as much information about citizens’ locations, habits and beliefs as possible for the purposes of better informing campaign strategies and delivering optimized messaging to individual voters.

In the absence of a national data privacy law or stricter campaign data regulations, there’s very little that any one of us can do, short of living off the grid, to prevent our personal data from being fodder for campaigns and threat actors alike. In the meantime, you may choose to reward the candidates who most respect your data and your privacy by giving them your vote.

How to apply data protection best practices to the 2020 presidential election

It’s safe to assume that we need to protect presidential election data, since it’s one of the most critical sets of information available. Not only does it ensure the legitimacy of elections and the democratic process, but also may contain personal information about voters. Given its value and sensitivity, it only makes sense that this data would be a target for cybercriminals looking for some notoriety – or a big ransom payment.

protect presidential election

In 2016, more needed to be done to protect the election and its data from foreign interference and corruption. This year, both stringent cybersecurity and backup and recovery protocols should be implemented in anticipation of sophisticated foreign interference.

Cybersecurity professionals in government and the public sector should look to the corporate world and mimic – and if possible improve upon – the policies and procedures being applied to keep data safe. Particularly as voting systems become more digitized, the likelihood of IT issues increases, so it’s essential to have a data protection plan in place to account for these challenges and emerging cyber threats.

The risk of ransomware in 2020

Four years ago, ransomware attacks impacting election data were significantly less threatening. Today, however, the thought of cybercriminals holding election data hostage in exchange for a record-breaking sum of money sounds entirely plausible. A recent attack on Tyler Technologies, a software provider for local governments across the US, highlighted the concerns held across the nation and left many to wonder if the software providers in charge of presidential election data might suffer a similar fate.

Regardless of whether data is recoverable, ransomware attacks typically cause IT downtime as security teams attempt to prevent the attack from spreading. While this is the best practice to follow to contain the malware, the impacts of system downtime on the day of the election could be catastrophic. To combat this, government officials should look for solutions that offer continuous availability technology.

The best defense also integrates cybersecurity and data protection, as removing segmentation streamlines the process of detecting and responding to attacks, while simultaneously recovering systems and data. This will simplify the process for stressed-out government IT teams already tasked with dealing with the chaos of election day.

Developing a plan to protect the presidential election

While ransomware is a key concern, it isn’t the only threat that election data faces. The 2016 election revealed to what degree party election data could be interfered with. Now that we know the risks, we also know that focusing solely on cybersecurity without a backup plan in place isn’t enough to keep this critical data secure.

The first step to any successful data protection plan is a robust backup strategy. Since the databases or cloud platforms that compile voter data are likely to be big targets, government security pros should store copies of that data in multiple locations to reduce the chance that one attack takes down an entire system. Ideally, they should follow the 3-2-1 rule by keeping three copies of data, in two locations, with one offsite or in the cloud.

It’s also important to protect these backups with the same level of care as you would critical IT infrastructure. Backups are only helpful if they’re clean and easily accessible – particularly for a time-sensitive situation like the presidential election, it’s important to be able to recover backed-up data as quickly as possible. The last thing government officials need is missing or inaccessible votes on election day.

The need to protect this data doesn’t end when voting does, however. Government IT pros also must consider implementing a strategy for protecting stored voter data long-term. Compliance with data privacy regulations surrounding voter data is key to maintaining a fair democratic process, so they should make sure to consider any local regulations that may dictate how this data is stored and accessed. Protection that extends after the election will also be important for safeguarding against cyberattacks that might target this data down the line.

Not only could cyberattacks hold voter data hostage, they may also affect how quickly the results of the election can be determined. Voter data that is lost altogether might cause an entire election to be called a fraud. This would have a far-reaching impact on people across America, and our democratic process as a whole. Luckily, this is avoidable with a data protection and ransomware response plan that gets government officials prepared for when an attack happens.

US charges Sandworm hackers who mounted NotPetya, other high-profile attacks

The Sandworm Team hacking group is part of Unit 74455 of the Russian Main Intelligence Directorate (GRU), the US Department of Justice (DoJ) claimed as it unsealed an indictment against six hackers and alleged members on Monday.

Sandworm hackers

Sandworm Team attacks

“These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: Ukraine; Georgia; elections in France; efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort,” the DoJ alleges.

“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.”

At the same time, the UK National Cyber Security Centre says that they asses “with high confidence” that the group has been actively targeting organizations involved in the 2020 Olympic and Paralympic Games before they were postponed.

“In the attacks on the 2018 Games, the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony. It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games. The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter,” the UK NCSC said.

“The NCSC assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks. Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.”

The UK government confirmed their prior assessments that many of the aforementioned attacks had been the work of the Russian GRU.

Sandworm Team hackers

Sandworm Team (aka “Telebots,” “Voodoo Bear,” “Iron Viking,” and “BlackEnergy”) is the group behind many conspicuous attacks in the last half a decade, the DoJ claims, all allegedly performed under the aegis of the Russian government.

The six alleged Sandworm Team hackers against which the indictments have been brought were responsible for a variety of tasks:

Sandworm hackers

One of them, Anatoliy Kovalev, has been previously charged by a US court “with conspiring to gain unauthorized access into the computers of US persons and entities involved in the administration of the 2016 US elections,” the DoJ noted.

The US investigation into the group has lasted for several years, and had help from Ukrainian authorities, the Governments of the Republic of Korea and New Zealand, Georgian authorities, and the United Kingdom’s intelligence services, victims, and several IT and IT security companies.

Political and other ramifications

Warrants for the arrest of the six alleged Sandworm Team members have been drawn, but chances are slim-to-nonexistent that arrests will be performed in the near or far future.

The Russian government’s official position is that the accusations are unbased and part of an “information war against Russia”.

It’s unusual to see the US mount criminal charges against intelligence officers that were engaged in cyber-espionage operations outside the US, but the rationale here is that many of the attacks resulted in real-world consequences that were aimed at undermining the target countries’ governments and destabilizing the countries themselves, and that they affected individuals, civilian critical infrastructure (including organizations in the US), and private sector companies.

“The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims,” commented US Attorney Scott W. Brady for the Western District of Pennsylvania.

There are currently no laws and norms regulating cyber attacks and cyber espionage in peacetime, but earlier this year Russian Federation president Vladimir Putin called for an agreement between Russia and the US that would guarantee the two nations would not try to meddle with each other’s elections and internal affairs via “cyber” means.

This latest round of indictments by the US is unlikely to act as a deterrent but, as Dr. Panayotis Yannakogeorgos recently told Help Net Security, indictments and public attribution of attacks serve several other purposes.

Another interesting result of this indictment may be felt by insurance companies and their customers that have suffered disruption due to cyber attacks mounted by nation-states. Some of their insurance policies may not cover cyber incidents that could be considered an “act of war” (e.g., the NotPetya attacks).

Most US states show signs of a vulnerable election-related infrastructure

75% of all 56 U.S. states and territories leading up to the presidential election, showed signs of a vulnerable IT infrastructure, a SecurityScorecard report reveals.

election infrastructure

Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following, the US election.

Election infrastructure: High-level findings

Seventy-five percent of U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below; 35% have a ‘D’ and below. States with a grade of ‘C’ are 3x more likely to experience a breach (or incident, such as ransomware) compared to an ‘A’ based on a three-year SecurityScorecard study of historical data. Those with a ‘D’ are nearly 5x more likely to experience a breach.

  • States with the highest scores: Kentucky (95) Kansas (92) Michigan (92)
  • States with the lowest scores: North Dakota (59) Illinois (60) Oklahoma (60)
  • Among states and territories, there are as many ‘F’ scores as there are ‘A’s
  • The Pandemic Effect: Many states’ scores have dropped significantly since January. For example, North Dakota scored a 72 in January and now has a 59. Why? Remote work mandates gave state networks a larger attack surface (e.g., thousands of state workers on home Wi-Fi), making it more difficult to ensure employees are using up-to-date software.

Significant security concerns were observed with two critically important “battleground” states, Iowa and Ohio, both of which scored a 68, or a ‘D’ rating.

The battleground states

According to political experts, the following states are considered “battleground” and will help determine the result of the election. But over half have a lacking overall IT infrastructure:

  • Michigan: 92 (A)
  • North Carolina: 81 (B)
  • Wisconsin: 88 (B)
  • Arizona: 81 (B)
  • Texas: 85 (B)
  • New Hampshire: 77 (C)
  • Pennsylvania: 85 (B)
  • Georgia: 77 (C)
  • Nevada: 74 (C)
  • Iowa: 68 (D)
  • Florida: 73 (C)
  • Ohio: 68 (D)

“The IT infrastructure of state governments should be of critical importance to securing election integrity,” said Alex Heid, Chief Research & Development Officer at SecurityScorecard.

“This is especially true in ‘battleground states’ where the Department of Homeland Security, political parties, campaigns, and state government officials should enforce vigilance through continuously monitoring state voter registration networks and web applications for the purpose of mitigating incoming attacks from malicious actors.

“The digital storage and transmission of voter registration and voter tally data needs to remain flawlessly intact. Some states have been doing well regarding their overall cybersecurity posture, but the vast majority have major improvements to make.”

Potential consequences of lower scores

  • Targeted phishing/malware delivery via e-mail and other mediums, potentially as a means to both infect networks and spread misinformation. Malicious actors often sell access to organizations they have successfully infected.
  • Attacks via third-party vendors – many states use the same vendors, so access into one could mean access to all. This is the top cybersecurity concern for political campaigns.
  • Voter registration databases could be impacted. In the worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on Election Day through ransomware.

“These poor scores have consequences that go beyond elections; the findings show chronic underinvestment in IT by state governments,” said Rob Knake, the former director for cybersecurity policy at the White House in the Obama Administration.

“For instance, combatting COVID-19 requires the federal government to rely on the apparatus of the states. It suggests the need for a massive influx of funds as part of any future stimulus to refresh state IT systems to not only ensure safe and secure elections, but save more lives.”

A set of best practices for states

  • Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names which can be subjected to typosquatting
  • Have an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity: defined as confidentiality, integrity, and availability of all processed information
  • States should establish clear lines of authority for updating the information on these sites that includes the ‘two-person’ rule — no single individual should be able to update information without a second person authorizing it
  • States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems, and ensure that vendors supplying equipment and services to the election process undergo stringent processes

CPRA: More opportunity than threat for employers

Increasingly demanded by consumers, data privacy laws can create onerous burdens on even the most well-meaning businesses. California presents plenty of evidence to back up this statement, as more than half of organizations that do business in California still aren’t compliant with the California Consumer Privacy Act (CCPA), which went into effect earlier this year.

CPRA

As companies struggle with their existing compliance requirements, many fear that a new privacy ballot initiative – the California Privacy Rights Act (CPRA) – could complicate matters further. While it’s true that if passed this November, the CPRA would fundamentally change the way businesses in California handle both customer and employee data, companies shouldn’t panic. In fact, this law presents an opportunity for organizations to change their relationship with employee data to their benefit.

CPRA, the Californian GDPR?

Set to appear on the November 2020 ballot, the CPRA, also known as CCPA 2.0 or Prop 24 (its name on the ballot), builds on what is already the most comprehensive data protection law in the US. In essence, the CPRA will bring data protection in California nearer to the current European legal standard, the General Data Protection Regulation (GDPR).

In the process of “getting closer to GDPR,” the CCPA would gain substantial new components. Besides enhancing consumer rights, the CPRA also creates new provisions for employee data as it relates to their employers, as well as data that businesses collect from B2B business partners.

Although controversial, the CPRA is likely to pass. August polling shows that more than 80% of voters support the measure. However, many businesses do not. This is because, at first glance, the CPRA appears to create all kinds of legal complexities in how employers can and cannot collect information from workers.

Fearful of having to meet the same demanding requirements as their European counterparts, many organizations’ natural reaction towards the prospect of CPRA becoming law is fear. However, this is unfounded. In reality, if the CPRA passes, it might not be as scary as some businesses think.

CPRA and employment data

The CPRA is actually a lot more lenient than the GDPR in regard to how it polices the relationship between employers and employees’ data. Unlike for its EU equivalent, there are already lots of exceptions written into the proposed Californian law acknowledging that worker-employer relations are not like consumer-vendor relations.

Moreover, the CPRA extends the CCPA exemption for employers, set to end on January 1, 2021. This means that if the CPRA passes into law, employers would be released from both their existing and potential new employee data protection obligations for two more years, until January 1, 2023. This exemption would apply to most provisions under the CPRA, including the personal information collected from individuals acting as job applicants, staff members, employees, contractors, officers, directors, and owners.

However, employers would still need to provide notice of data collection and maintain safeguards for personal information. It’s highly likely that during this two-year window, additional reforms would be passed that might further ease employer-employee data privacy requirements.

Nonetheless, employers should act now

While the CPRA won’t change much overnight, impacted organizations shouldn’t wait to take action, but should take this time to consider what employee data they collect, why they do so, and how they store this information.

This is especially pertinent now that businesses are collecting more data than ever on their employees. With companies like the workplace monitoring company Prodoscore reporting that interest from prospective customers rose by 600% since the pandemic began, we are seeing rapid growth in companies looking to monitor how, where, and when their employees work.

This trend emphasizes the fact that the information flow between companies and their employees is mostly one-sided (i.e., from the worker to the employer). Currently, businesses have no legal requirement to be transparent about this information exchange. That will change for California-based companies if the CPRA comes into effect and they will have no choice but to disclose the type of data they’re collecting about their staff.

The only sustainable solution for impacted businesses is to be transparent about their data collection with employees and work towards creating a “culture of privacy” within their organization.

Creating a culture of privacy

Rather than viewing employee data privacy as some perfunctory obligation where the bare minimum is done for the sake of appeasing regulators, companies need to start thinking about worker privacy as a benefit. Presented as part of a benefits package, comprehensive privacy protection is a perk that companies can offer prospective and existing employees.

Privacy benefits can include access to privacy protection services that give employees privacy benefits beyond the workplace. Packaged alongside privacy awareness training and education, these can create privacy plus benefits that can be offered to employees alongside standard perks like health or retirement plans. Doing so will build a culture of privacy which can help companies ensure they’re in regulatory compliance, while also making it easier to attract qualified talent and retain workers.

It’s also worth bearing in mind that creating a culture of privacy doesn’t necessarily mean that companies have to stop monitoring employee activity. In fact, employees are less worried about being watched than they are by the possibility of their employers misusing their data. Their fears are well-founded. Although over 60% of businesses today use workforce data, only 3 in 10 business leaders are confident that this data is treated responsibly.

For this reason, companies that want to keep employee trust and avoid bad PR need to prioritize transparency. This could mean drawing up a “bill of rights” that lets employees know what data is being collected and how it will be used.

Research into employee satisfaction backs up the value of transparency. Studies show that while only 30% of workers are comfortable with their employer monitoring their email, the number of employees open to the use of workforce data goes up to 50% when the employer explains the reasons for doing so. This number further jumps to 92% if employees believe that data collection will improve their performance or well-being or come with other personal benefits, like fairer pay.

On the other hand, most employees would leave an organization if its leaders did not use workplace data responsibly. Moreover, 55% of candidates would not even apply for a job with such an organization in the first place.

Final thoughts

With many exceptions for workplace data management already built-in and more likely to come down the line, most employers should be able to easily navigate the stipulations CPRA entails.

That being said, if it becomes law this November, employers shouldn’t misuse the two-year window they have to prepare for new compliance requirements. Rather than seeing this time as breathing space before a regulatory crackdown, organizations should instead use it to be proactive in their approach to how they manage their employees’ data. As well as just ensuring they comply with the law, businesses should look at how they can turn employee privacy into an asset.

As data privacy stays at the forefront of employees’ minds, businesses that can show they have a genuine privacy culture will be able to gain an edge when it comes to attracting and retaining talent and, ultimately, coming out on top.

NIST crowdsourcing challenge aims to de-identify public data sets to protect individual privacy

NIST has launched a crowdsourcing challenge to spur new methods to ensure that important public safety data sets can be de-identified to protect individual privacy.

NIST crowdsourcing challenge

The Differential Privacy Temporal Map Challenge includes a series of contests that will award a total of up to $276,000 for differential privacy solutions for complex data sets that include information on both time and location.

Critical applications vulnerability

For critical applications such as emergency planning and epidemiology, public safety responders may need access to sensitive data, but sharing that data with external analysts can compromise individual privacy.

Even if data is anonymized, malicious parties may be able to link the anonymized records with third-party data and re-identify individuals. And, when data has both geographical and time information, the risk of re-identification increases significantly.

“Temporal map data, with its ability to track a person’s location over a period of time, is particularly helpful to public safety agencies when preparing for disaster response, firefighting and law enforcement tactics,” said Gary Howarth, NIST prize challenge manager.

“The goal of this challenge is to develop solutions that can protect the privacy of individual citizens and first responders when agencies need to share data.”

Protecting PII

Differential privacy provides much stronger data protection than anonymity; it’s a provable mathematical guarantee that protects personally identifiable information (PII).

By fully de-identifying data sets containing PII, researchers can ensure data remains useful while limiting what can be learned about any individual in the data regardless of what third-party information is available.

The individual contests that make up the challenge will include a series of three “sprints” in which participants develop privacy algorithms and compete for prizes, as well as a scoring metrics development contest (A Better Meter Stick for Differential Privacy Contest) and a contest designed to improve the usability of the solvers’ source code (The Open Source and Development Contest).

The Better Meter Stick for Differential Privacy Contest will award a total prize purse of $29,000 for winning submissions that propose novel scoring metrics by which to assess the quality of differentially private algorithms on temporal map data.

The three Temporal Map Algorithms sprints will award a total prize purse of $147,000 over a series of three sprints to develop algorithms that preserve data utility of temporal and spatial map data sets while guaranteeing privacy.

The Open Source and Development Contest will award a total prize purse of $100,000 to teams leading in the sprints to increase their algorithm’s utility and usability for open source audiences.

Companies that facilitate ransomware payments risk violating US sanctions

Companies that ransomware-hit US organizations hire to facilitate the paying of the ransom are at risk of breaking US sanctions, falling afoul of the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) regulations and may end up paying millions in fines.

Ransomware US sanctions

These include financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.

What is the OFAC?

The Office of Foreign Assets Control of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals.

Sanctions can be enforced against foreign countries/regimes, organized groups and individuals that “threaten the national security, foreign policy or economy of the United​ States”. Ransomware-wielding gangs fall in that category.

In a security advisory published on Thursday, the OFAC mentioned the developer of Cryptolocker, Iranian supporters of SamSam ransomware-wielding gangs, the Lazarus Group (a cybercriminal organization sponsored by North Korea that used the WannaCry ransomware) and Evil Corp, a Russia-based cybercriminal organization that wields the Dridex malware, as malicious cyber actors under its cyber-related sanctions program.

The advisory’s salient points

“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data,” the OFAC explained.

“OFAC encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus. Victims should also contact the US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a US financial institution or may cause significant disruption to a firm’s ability to perform critical financial services.”

OFAC might issue a special license allowing them to perform the transaction (the paying of the ransom), but each application “will be reviewed by OFAC on a case-by-case basis with a presumption of denial.”

Also, it won’t matter if the ransomware gangs involved are from countries under US sanctions or under sanctions themselves.

“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” the advisory pointed out.

To pay or not to pay?

If would be best, of course, if a ransomware-hit organization didn’t have to pay the ransom in order to quickly recover their IT capabilities and return to functioning as normal, but sometimes paying up is the only option if they want to stay afloat and/or keep providing vital services.

In and of itself, paying a ransom is not against the law, but if the payment is made to an entity or individual under US sanctions, the action is technically illegal.

But, according to Dissent Doe, FBI and Secret Service officials that attended a panel at the Privacy + Security Forum in Washington, D.C., a year ago confirmed that the US government has never prosecuted any victim for paying ransom.

The same panel, which also gathered private sector lawyers and a representative of a consulting firm, also unanimously confirmed that in an overwhelming majority of cases, victims end up getting the decryption key and their data back after paying up.

“So although the public isn’t told this clearly because the government wants to discourage it, I will repeat what I have been saying for quite a while: for some entities, paying ransom will just be a business decision based on how much money they will lose if they cannot function due to the ransomware attack,” Doe noted.

A (potential) fine levied by the US government then becomes just a factor in that equation.

Large US hospital chain hobbled by Ryuk ransomware

US-based healtchare giant Universal Health Services (UHS) has suffered a cyberattack on Sunday morning, which resulted in the IT network across its facilities to be shut down.

UHS cyberattack

Location of UHC facilities

What happened?

UHS operates nearly 400 hospitals and healthcare facilities throughout the US, Puerto Rico and the UK.

“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods,” the company stated on Monday.

“Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or misused.”

No more details were shared about the nature of the “IT security issue” (as they chose to call it), leaving the door open for unconfirmed reports from professed insiders (employees at some of the affected facilities) to proliferate online.

A Reddit thread started on Monday is chock full of them:

  • The attack involved ransomware – Ryuk ransomware, to be more specific
  • It’s unknown how many systems have been affected, i.e., how widespread is the damage
  • “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center”
  • Ambulances are being rerouted to other hospitals, information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment
  • “4 people died tonight alone due to the waiting on results from the lab to see what was going on”

Was it Ryuk?

While most of these reports have yet to be verified, it seems almost certain that ransomware is in play.

Bleeping Computer was told by an employee that the encrypted files sported the .ryk extension and another employee described a ransom note that points to Ryuk ransomware.

“Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines. Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts,” commented Jeff Horne, CSO, Ordr.

Justin Heard, Director of Security, Intelligence and Analytics at Nuspire, noted that up until recently, Ryuk was used solely to target financial services, but over the last several months Ryuk has been seen targeting manufacturing, oil and gas, and now healthcare.

“Ryuk is known to target large organizations across industries because it demands a very high ransom. The ransomware operators likely saw UHS as the opportunity to make a quick buck given the urgency to keep operations going, and the monetary loss associated with that downtime could outweigh the ransom demand,” he explained.

“Ryuk Ransomware is run by a group called Wizard Spider, which is known as the Russia-based operator of the TrickBot banking malware. Ryuk is one of the most evasive ransomware out there. Nuspire Intelligence has repeatedly seen the triple threat combo of Ryuk, TrickBot and Emotet to wreak the most damage to a network and harvest the most amount of data.”

Some ransomware operators have previously stated that they would refrain from hitting healthcare organizations. Despite that, the number of attacks targeting medical institutions continues to rise.

CISA orders federal agencies to implement Zerologon fix by Monday

If you had any doubts about the criticality of the Zerologon vulnerability (CVE-2020-1472) affecting Windows Server, here is a confirmation: the US Cybersecurity and Infrastructure Security Agency (CISA) has issued on Friday an emergency directive instructing federal agencies to “immediately apply the Windows Server August 2020 security update to all domain controllers” – and to do so by the end of Monday (September 21).

CISA Zerologon

“If affected domain controllers cannot be updated, ensure they are removed from the network,” CISA advised.

To make sure the order has been complied with, the agency asks department-level Chief Information Officers (CIOs) or equivalents to submit completion reports by Wednesday.

About the vulnerability

Security updates fixing CVE-2020-1472, a privilege elevation vulnerability in the Netlogon Remote Protocol (MS-NRPC), were provided by Microsoft in August, and the researchers who discovered the bug revealed more technical information about it last week.

That release was followed by the publication of a slew of PoC exploits.

Zerologon’s severity stems from the fact that it can be leveraged by an unauthenticated attacker with network access to a domain controller to impersonate any domain-joined computer, including a domain controller.

“Among other actions, the attacker can set an empty password for the domain controller’s Active Directory computer account, causing a denial of service, and potentially allowing the attacker to gain domain administrator privileges. The compromise of Active Directory infrastructure is likely a significant and costly impact,” CERT/CC says.

The risk

“CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action,” the agency noted in the emergency directive.

“This determination is based on the following: the availability of the exploit code in the wild increasing likelihood of any upatched domain controller being exploited; the widespread presence of the affected domain controllers across the federal enterprise; the high potential for a compromise of agency information systems; the grave impact of a successful compromise; and the continued presence of the vulnerability more than 30 days since the update was released.”

State and local governments should heed this call as well, not to mention organizations in the private sector.

We’re still to hear about the vulnerability being actively exploited in the wild, but it’s just a matter of time until attackers gain the ability to leverage it and start doing it.

Mobile voting: Hype or reality?

The 2020 United States presidential election is already off to a rocky start. We’ve seen technology fail in the primary elections, in-person campaigning halted, and a plethora of mixed messages on how voting will actually take place. Many Americans are still uncertain where or how they will vote in November – or worse, they’re unsure if their vote will be tabulated correctly.

mobile voting

For most of us, voting by anything other than a paper ballot or a voting machine is a foreign concept. Due to the pandemic and shelter in place restrictions, various alternatives have been considered this year — in particular, voting via our mobile devices.

On paper, it might seem like COVID-19 has created the ideal opportunity to introduce voting options that utilize the millions of mobile phones and tablets in U.S. voters’ hands. The reality is, our country is not ready to utilize this technology in a safe and protected way.

Here are the four things holding back mobile voting:

Testing and scalability

If we have learned anything from the Iowa Caucus app failure, it is that testing for scalability is key. Prior to Election Day, we must confirm that every voter will be able to vote from their mobile device from any location, all at the same time, without the system crashing.

This is no small feat: newly deployed code almost always has faults, and if a voting app has not undergone rigorous testing at scale by now (less than 75 days from Election Day), it is highly unlikely that it could be sufficiently tested and distributed in time.

Verification and secret ballots

Tying an identity to a user and phone negates the concept of an anonymized ballot, something we’re entitled to as eligible voters. If the vote is cast via a mobile device — especially if there is some way of reconciling the paper ballot back to the electronic vote — then there has to be an identity key that is used to correlate them.

Verifying the identity of the voter and their device and doing it in a way that also allows for secret ballots is a critical challenge to overcome if mobile voting is ever to become a reality.

Trust

Even if the kinks in mobile voting are worked out, how can we ensure overall trust in the system? Not only do we need to trust that our vote was cast, but that it was cast in a way that is private, secure, and for the person it was intended. If there is no reconciliation with the paper ballot, how are any risk-limiting audits conducted? Without an auditable system, it is impossible to win the trust of the electorate, which is an absolute necessity ahead of a process as integral to our country as voting.

QR code risks

Chances are, voters would be directed to a voting website via a QR code. While the reliance on distributed ledger technology — even with a cryptographic signature that is highly resistant to alteration — provides a strong method of recording and tabulating votes, it is still not cyber-invincible.

QR codes are not “readable” by humans. Therefore, the ability to alter a QR code to point to an alternative resource without being detected is simple and highly effective. The target of the QR code could result in compromise of credentials, phishing, and malicious code downloads.

Most significantly in this scenario, the QR code could redirect the voter to a site where their vote is captured, altered, returned to the device or forwarded on to the actual site, and when the voter signs the affidavit and submits their vote, it may or may not be for who they actually intended to vote.

Ultimately, the most important thing we can do this election is vote — vote by mail, vote in person, vote early, and vote in a way that you can be sure your vote will be counted for the candidate for whom you intended to vote. However, the idea that we’ll be able to safely via our mobile devices — at least this time around — is nothing but a pipe dream. Until we work out the security and privacy concerns associated with mobile voting, we’re going to have to stick to traditional methods.

State Department offers $10 million for info on hackers targeting U.S. elections

As the day of the U.S. presidential elections is quickly approaching, election security is again becoming a topic of more and more security discussions.

U.S. election security

Are the polling booth systems secure? Could attackers interfere with them? What about voting by mail? Is it a secure option? Will the United States Postal Service (USPS) be able to handle a greater than usual (due to COVID-19) influx of mailed ballots?

The security of electronic voting

Prior to the 2016 U.S. presidential elections, cyber attackers that are believed to be Russian operatives succeeded in compromising websites or voter registration systems in seven U.S. states, the NBC revealed in early 2018.

Though the attackers apparently didn’t make changes to votes or voter rolls, the revelation was enough to raise doubts about voting security.

It doesn’t help that, over the intervening years, security researchers and hackers have demonstrated how electronic voting systems and polling booths can be hacked and manipulated.

In 2019, the U.S. House of Representatives passed a bill that would mandate election systems to use voter-verified paper ballots so that election interference can be avoided, for voting machines to be disconnected from the internet, and for states to get funds to enhance the security of their election systems and infrastructure. The bill was never voted on in the U.S. Senate.

In May 2020, the House again tried to allot money ($3.6 billion) for election security through the Health and Economic Recovery Omnibus Emergency Solutions (HEROES) Act, but the bill is expected to be modified and it’s possible it won’t include funds for helping states cover pandemic-related costs for the election.

In the meantime, the federal government is providing state and local officials with additional tools – endpoint detection and response software – to help defend the nation’s election systems from cyberthreats ahead of the November vote.

On Wednesday, the U.S. Department of State offered “a reward of up to $10 million for information leading to the identification or location of any person who works with or for a foreign government for the purpose of interfering with U.S. elections through certain illegal cyber activities.”

“The reward offer seeks information on the identification or location of any person who, while acting at the direction of or under the control of a foreign government, interferes with any U.S. federal, state, or local election by aiding or abetting a violation of section 1030 of title 18, which relates to computer fraud and abuse,” the State Department noted.

The reward is offered for information about individuals involved in the unauthorized accessing of election and campaign infrastructure, including voter registration databases and voting machines, and in malicious cyber operations against U.S. political organizations or campaigns to steal confidential information and then leak that information as part of influence operations to undermine political organizations or candidates.

The security of mail-in voting

As U.S. President Donald Trump claims that voting by mail opens the voting process for potential fraud and corruption, then backtracks, some voters have started doubting the security of the options.

Experts are, on the other hand, are saying that adversaries couldn’t interfere with voting by mail in any meaningful way, and the USPS assures it can handle the added volume of mail-in ballots in November’s election.

Assessing the email security controls used by 10,000 U.S. state and local election administrators

With fewer than 100 days left until Election Day, a new report from Area 1 Security reveals that states are still in widely varying stages of cybersecurity readiness.

election administrators phishing

Key findings include:

  • The majority (53.24 percent) of state and local election administrators have only rudimentary or non-standard technologies to protect themselves from phishing
  • Fewer than 3 out of 10 (28.14 percent) election administrators have basic controls to prevent phishing
  • Fewer than 2 out of 10 (18.61 percent) election administrators have implemented advanced anti-phishing cybersecurity controls
  • A surprising 5.42 percent of election administrators rely on personal email accounts or technologies designed for personal email (such as Yahoo!, Hotmail, AOL or others), to conduct their duties
  • A number of election administrators independently manage their own custom email infrastructure, including using versions of Exim known to be targeted by cyber actors linked to the Russian military that interfered in prior U.S. elections.

Ninety-five percent of cybersecurity damages worldwide begin with phishing, and phishing campaigns come in all shapes and sizes. The majority of phishing campaigns begin with an innocuous and authentic email that individuals are unable to recognize as malicious. Consequently, the quality of email protection used by organizations and individuals has an inordinate bearing on their overall cybersecurity posture.

“Our elections are vital. They need to be resilient against whatever crisis the moment throws at us — and that requires resources and planning,” said Oren J. Falkowitz, co-founder of Area 1 Security. “However, most state and local election administrators are not very close to ensuring a safe election. This challenge is going to be exacerbated the longer it takes for them to get the resources and expertise needed to make changes.”

Security recommendations for state and local election administrators

Ending use of Exim email servers: Given the government’s guidance to update Exim to mitigate CVE-2019-10149 and other vulnerabilities including, but not limited to, CVE-2019-15846 and CVE-2019-16928, election administrators are urged to cease use of Exim. Upgrading alone does not mitigate exploitation. Prior Russian cyber activities directed towards U.S. elections make use of Exim ill-advised. For those who must continue running Exim, update to the latest version; running a version prior to 4.93 leaves a system vulnerable to disclosed vulnerabilities. Administrators can update Exim Mail Transfer Agent software through their Linux distribution’s package manager or by downloading the latest version.

Transitioning to cloud email infrastructure: Running custom email infrastructure requires network administrators to be perfect every single day. Instead, Area 1 Security recommends the use of cloud email infrastructure such as Google’s GSuite or Microsoft’s Office 365 in combination with a cloud email security solution.

Ending use of personal email technologies for election duties: Under no circumstances should election administrators use personal email for the conduct or administration of elections.

Building a quantum internet: Fast data exchange, difficult to eavesdrop

The U.S. Department of Energy (DOE) unveiled a report that lays out a blueprint strategy for the development of a national quantum internet. It provides a pathway to ensure the development of the National Quantum Initiative Act, which was signed into law by President Trump in December of 2018.

quantum internet

Around the world, consensus is building that a system to communicate using quantum mechanics represents one of the most important technological frontiers of the 21st century. Scientists now believe that the construction of a prototype will be within reach over the next decade.

In February of this year, DOE National Laboratories, universities, and industry met to develop the blueprint strategy of a national quantum internet, laying out the essential research to be accomplished, describing the engineering and design barriers, and setting near-term goals.

“The Department of Energy is proud to play an instrumental role in the development of the national quantum internet,” said U.S. Secretary of Energy Dan Brouillette. “By constructing this new and emerging technology, the United States continues with its commitment to maintain and expand our quantum capabilities.”

DOE’s 17 National Laboratories will serve as the backbone of the coming quantum internet, which will rely on the laws of quantum mechanics to control and transmit information more securely than ever before. Currently in its initial stages of development, the quantum internet could become a secure communications network and have a profound impact on areas critical to science, industry, and national security.

Crucial steps toward building such an internet are already underway in the Chicago region, which has become one of the leading global hubs for quantum research. In February of this year, scientists from DOE’s Argonne National Laboratory in Lemont, Illinois, and the University of Chicago entangled photons across a 52-mile “quantum loop” in the Chicago suburbs, successfully establishing one of the longest land-based quantum networks in the nation. That network will soon be connected to DOE’s Fermilab in Batavia, Illinois, establishing a three-node, 80-mile testbed.

“Decades from now, when we look back to the beginnings of the quantum internet, we’ll be able to say that the original nexus points were here in Chicago—at Fermilab, Argonne, and the University of Chicago,” said Nigel Lockyer, director of Fermilab. “As part of an existing scientific ecosystem, the DOE National Laboratories are in the best position to facilitate this integration.”

A range of unique abilities

One of the hallmarks of quantum transmissions is that they are exceedingly difficult to eavesdrop on as information passes between locations. Scientists plan to use that trait to make virtually unhackable networks. Early adopters could include industries such as banking and health services, with applications for national security and aircraft communications. Eventually, the use of quantum networking technology in mobile phones could have broad impacts on the lives of individuals around the world.

Scientists are also exploring how the quantum internet could expedite the exchange of vast amounts of data. If the components can be combined and scaled, society may be at the cusp of a breakthrough in data communication, according to the report.

Finally, creating networks of ultra-sensitive quantum sensors could allow engineers to better monitor and predict earthquakes—a longtime and elusive goal—or to search for underground deposits of oil, gas, or minerals. Such sensors could also have applications in health care and imaging.

A multi-lab, multi-institution effort

Creating a full-fledged prototype of a quantum internet will require intense coordination among U.S. Federal agencies—including DOE, the National Science Foundation, the Department of Defense, the National Institute for Standards and Technology, the National Security Agency, and NASA—along with National Laboratories, academic institutions, and industry.

The report lays out crucial research objectives, including building and then integrating quantum networking devices, perpetuating and routing quantum information, and correcting errors. Then, to put the nationwide network into place, there are four key milestones: verify secure quantum protocols over existing fiber networks, send entangled information across campuses or cities, expand the networks between cities, and finally expand between states, using quantum “repeaters” to amplify signals.

“The foundation of quantum networks rests on our ability to precisely synthesize and manipulate matter at the atomic scale, including the control of single photons,” said David Awschalom, Liew Family Professor in Molecular Engineering at the University of Chicago’s Pritzker School of Molecular Engineering, senior scientist at Argonne National Laboratory, and director of the Chicago Quantum Exchange. “Our National Laboratories house world-class facilities to image materials with subatomic resolution and state-of-the-art supercomputers to model their behavior. These powerful resources are critical to accelerating progress in quantum information science and engineering, and to leading this rapidly evolving field in collaboration with academic and corporate partners.”

Other National Laboratories are also driving advances in quantum networking and related technologies. For example, Stony Brook University and Brookhaven National Laboratory, working with the DOE’s Energy Sciences Network headquartered at Lawrence Berkeley National Laboratory, have established an 80-mile quantum network testbed and are actively expanding it in New York State and at Oak Ridge and Los Alamos National Laboratories. Other research groups are focused on developing a quantum cryptography system with highly secured information.

Three major gaps in the Cyberspace Solarium Commission’s report that need to be addressed

Released in March 2020, the Cyberspace Solarium Commission’s report urges for the U.S. government and private sector to adopt a “new, strategic approach to cybersecurity,” namely layered cyber deterrence.

Cyberspace Solarium Commission's report

Among the Commission’s lengthy 182-page report’s recommendations are that security vendors must be responsible for providing security updates for their products or services as long as they are providing usability updates and bug fixes. Additionally, the report calls for Congress to “pass a law establishing that final goods assemblers of software, hardware and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.”

The purpose of the Cyberspace Solarium Commission’s report is noble, and while the report does acknowledge that the recommendations within will not solve every problem, there are still a few key gaps that are worth highlighting and need to be addressed.

Primarily, what this report demonstrates is poor kill-chain based thinking and it misses the complexity challenge we all face in the tech-enabled critical infrastructure world. For example, most breaches are achieved by exploiting well-known and often old vulnerabilities for which patches and remediations are available but have not been implemented. most likely because of complacence or compatibility issues. But that’s just the beginning of an attack – the core organizational security investments go towards spotting/stopping attackers’ steps after they exploit that vulnerability. This includes everything an attacker executes across the kill-chain, methods used to attain persistence, evade other defenses, escalate access, and eventually take actions and steal data.

The report’s focus on vulnerability management is a futile gesture aimed at “making the wall taller,” as opposed to offering comprehensive guidance on how to offer a “combined arms” defense-in-depth improvement. Aiming to make software more secure and less vulnerable is often the root cause of many cybersecurity woes and a thing that can be improved, but the reality is that it is impossible to do so given the volume and complexity of the software in use.

A better strategy would be to improve regulation and make application and enterprise security testing much more prominent and important as a requirement. Annual audits don’t cut it, but continuous assessment, using useful and machine consumable threat intel are now market accessible.

Liability for unpatched vulnerabilities would impact software market

Many vulnerabilities have been disclosed over the years and some are more severe and likely to be exploited than others. For example, CVE-2014-6271, also known as Shellshock, is considered to be one of the worst bugs ever. It affected most versions of macOS, Linux and Unix and enabled bad actors to execute malicious code on vulnerable systems. This is an example of a vulnerability that most cybercriminals could easily exploit and organizations should patch as soon as possible.

The majority of organizations that suffer a breach due to the exploitation of a vulnerability fail to implement a patch that already exists. In those cases, the onus should be completely on the user and not the vendor. However, some liability for vendors is reasonable – but we must also understand that no amount of quality control is going to prevent a hacker from finding a hole, and no company can afford to do that. For example, WannaCry and NotPetya exploits were both allegedly created by state-sponsored adversaries. It’s farfetched to think that any vendor has the resources to compete with a (military) hacking organization.

With this liability, software vendors will add more quality control, therefore raising the end price of all software and limiting innovation. At the same time, the risk of entering this market may end up being too high for small vendors. But there must be a balance.

The Cyberspace Solarium Commission needs to reconsider how this liability should work – stiffening penalties for negligence in software creation, especially for multi-billion dollar tech firms, seem reasonable but it needs to be balanced with the cost trade-offs, innovation dampening, and other effective ways to deal with the challenges stemming from vulnerabilities. This is like saying the U.S. will require carmakers to make crash proof cars so we can eliminate airbags (and sue the carmaker when cars turn out to not be crashproof).

The report highlights poor kill-chain based thinking

Quite frankly, problems that are much bigger than unpatched vulnerabilities are emerging in cybersecurity space today. In fact, less than 20% of breaches stem from the exploitation of vulnerabilities, according to Verizon’s 2020 Data Breach Investigation’s Report. The biggest trend in exploitation is configuration exploitation: misconfigured cloud servers and exposed credentials stored in software repos are the culprit behind several companies’ data breaches. All of this accountability lies on the end consumer and expresses further why a reliable defense in depth strategy is required.

Organizations should still seek to drive down attackers’ initial access points by focusing on vulnerability management, but they must also realize that vulnerabilities are just one of many initial points of entry into an enterprise’s network. The real damage is done when threat actors move laterally and takes other actions within the environment, often operating like an insider.

But the Cyberspace Solarium Commission’s report does not state who is accountable for this movement. There needs to be a defense strategy that would holistically deal with the problem of layered security controls not working effectively.

The report fails to address how vendors can do a better job of testing before their product or service is even released. Continuous testing is not standardized or required in any meaningful way, but security vendors can take a similar approach to their systems development life cycle’s (SDLC) testing stage and ensure that their products are working to defend against the threats they are designed to prevent.

Organizations need a layered defense approach to security. Instead of relying purely on vulnerability patches, companies can operationalize a rich body of technical knowledge that expresses how attackers operate as well as the methods and software they use. We can now do a much better job by using emerging technology in tandem with this knowledge to emulate attacker behaviors to validate each layer of defense in depth to ensure that everything is working and reliable. By making this a policy, the Cyberspace Solarium Commission’s recommendations would be much more practical.

Take a threat-informed approach to defense, not a patch-reliant one

While the U.S. government and private sector both have areas they could work on according to the Commission, end-user organizations must understand that continuously testing security controls against relevant TTPs will help prepare for what’s next when an attacker penetrates their network.

The insights from these tests will help measure the effectiveness of those defenses and help execute continuous improvements. When coupled with a strategy for driving down initial access through vulnerabilities, the end result is an improvement in cybersecurity posture and increased business operations efficiency through a threat-informed (not patch-reliant) defense.

IoT security: In 2020, action needs to match awareness

As the power of IoT devices increases, security has failed to follow suit. This is a direct result of the drive to the bottom for price of network enabling all devices.

IoT security 2020

But small steps can greatly increase the overall security of IoT.

A better IoT security story has to be one of the most urgent priorities in all of technology. That’s because IoT is one of the industry’s most compelling opportunities and squandering it due to security challenges would be a massive blunder – especially since those challenges are surmountable.

There’s a good reason IoT has become an ever-present buzzword: it has the potential to change many aspects of life and is brimming with opportunities for exciting innovation. This is especially true on the industrial side, where the technology is fueling advances in digital factories, power management, supply-chain optimization, the connected car, and robotics.

Indeed, many companies are moving beyond piloting and prototyping IoT projects to real-world applications. Many are incorporating machine learning and other artificial intelligence (AI) technologies to gain insights from the colossal amounts of data all these sensors and other devices produce.

Yet lack of security continues to threaten the progress of this game-changing technology.

Various research has shown that security is the number one concern for enterprise IoT customers and that they would move faster on IoT programs if their concerns were allayed.

More than three years have passed since the IoT security threat crashed into public view with the massive denial-of-service attack on a major DNS provider which caused outages of some of the web’s most popular sites. The attack was instigated by a botnet of around 145,000 IoT devices – mostly webcams and DVRs – compromised by Mirai malware. In the intervening years, IoT botnets have grown in size and so has the number of attacks fueled by them. But IoT has other troubling security issues, as demonstrated by the rash of IoT locks with glaring security holes in the past year.

The incident should have served as a rallying point for concerted industry action to address IoT security, but little progress has been made.

What’s taking so long?

A primary IoT selling point – the advent of inexpensive sensors and devices – is also a thorn in IoT security’s side. Many manufacturers are pumping out these things without properly securing them for the internet. Many companies, simply looking for the cheapest deals to keep IoT project costs down, buy them without amply considering their security readiness.

Too many devices are being shipped to customers with no password or a standard, hard-coded default password that can easily be discovered and exploited. (The start of the now 400,000 strong Mirai BotNet was a single list of 60 usernames and passwords.)

Beyond passwords, many devices simply are not designed with security in mind at both the software and hardware levels. For example, configuration bit streams should be encrypted and protected, but often aren’t.

Another issue is a lack of software updates. When an attack or vulnerability is discovered, updates are not always rolled out in a timely manner – and sometimes not at all.

While IoT security guidelines exist – for example, the Secure By Design code issued by the U.K. in 2018 – they’re seldom enforced. Contrast that with the payment card industry (PCI), which polices itself with rigid security standards and levies penalties on member companies that fail to follow them.

The IoT segment needs to get serious

Awareness of the IoT security issue has reached government awareness. In the U.S., a Senate bill introduced in 2019 and similar legislation in the House would require the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take steps to increase the security of IoT devices.

In California, a law took effect on Jan. 1, 2020 requiring that all connected devices sold in the state have “a reasonable security feature or features” and banning shared default passwords.

While this government action is a positive sign, industry typically moves faster than government and IoT manufacturers themselves should take greater responsibility for improved security.

A good start might be an IoT security equivalent to the Energy Star certification for energy efficiency of appliances, electronics, HVAC systems, etc. Energy Star is actually a U.S.-government-backed program, but IoT is moving so fast that I think the industry could get this done faster than waiting for the public sector.

It is up to the industry to once and for all deal with the security challenge or face the prospect that IoT will never achieve its enormous promise and all of us will be paying the price for years from vulnerable devices in the field.

Criminals boost their schemes with COVID-19 themed phishing templates

Phishers are incessantly pumping out COVID-19 themed phishing campaigns and refining the malicious pages the targets are directed to.

“Credential phishing attackers often tailor their email lures with themes they believe will be the most effective and use general websites for actual credential harvesting. The recent move to create custom COVID-19 payment phishing templates indicates that buyers view them as effective enough to warrant custom tactics to harvest credentials,” Proofpoint researchers have noted.

The COVID-19 themed phishing templates

Cybercriminals have eagerly embraced the opportunities brought on by the COVID-19 pandemic. One of those is the fact that many governments and non-governmental organizations are offering crucial information about the virus and/or financial assistance.

The crooks have put in a lot of effort into creating convincing phishing page templates to impersonate these organizations and make it easier to quickly set up new pages once current ones get blacklisted.

Most of the templates aren’t exact copies of the impersonated websites, but they do copy their look and feel – and that’s often enough to fool many targets.

For example: the multi-layered template that spoofs the legitimate Canadian government website starts with a page that asks users to chose whether they want to continue using the site in English or French (the country’s two official languages), and then offers the credential phishing pages in the chosen language.

COVID-19 themed phishing

Another template that impersonates the US Internal Revenue Service (IRS) first tells the potential victim they are eligible for financial aid as part of the COVID-19 relief program and then leads them to the page asking for their personal information.

Similar schemes are used to impersonate Her Majesty’s Revenue and Customs (HMRC) in the United Kingdom, the French government, the World Health Organization (WHO), the US Centers for Disease Control (CDC), and so on.

COVID-19 themed phishing

The crooks are exploiting people’s anxiety and despair to steal login credentials for a variety of online accounts – Gmail, Office 365, Outlook, etc. – as well as sensitive information such as names, addresses, social security/insurance numbers, payment card information, and so on.

So far, ProofPoint researchers have seen more than 300 different COVID-19 campaigns this year and, as the COVID-19 situation continues to unfold, they expect these kinds of attacks to continue and threat actors to offer additional tools that can make those attacks easier to carry out.

Is the future of information security and tech conferences virtual?

The COVID-19 pandemic has brought about many changes to our personal and work lives. Among the latter are the forced work from home shift and the inability to travel far and attend in-person meetings, industry-specific workshops, events and conventions.

virtual events

And while RSA Conference USA – the largest information security conference in the world – managed to take place mere weeks before the World Health Organization declared COVID-19 a pandemic, European countries started closing borders and airlines started suspending routes and grounding planes, most infosec and tech events scheduled to take place after it were doomed.

One by one, they were postponed, canceled or went virtual. While it’s still impossible to tell whether the conferences postponed until the already-crowded (northern hemisphere) fall season will actually take place, we’ve asked some people who are involved in organizing them to give their opinion on the future of large information security and tech gatherings.

Smaller, more local in-person events

Jack Daniel, one of the co-founders of Security BSides, thinks that, long term, a lot of events will not resume and others will be scaled back.

“The economic fallout from the pandemic will limit funding for events large and small, and caution over transmission of illness will continue for a while,” he told Help Net Security.

When it comes to events that are organized under the BSides banner by different organizers in various corners of the world, he expects their number to diminish and those that do take place to be smaller.

“I think this will be true for events in general, but for BSides my hope is that it will drive focus to local events, local communities, and local opportunities – places where BSides have the most profound impact,” he added.

Michael Hiskey, Chief Strategy Officer at Data Connectors, a company that has been conducting cybersecurity conferences in cities across the US and Canada for the last 20 years or so, says they believe that, post-pandemic, conferences and trade shows will be far more “down to business.”

“Regional relationship teams, meeting directly with accounts in their area, is where the action will increasingly be,” he opined.

“For the purposes of educating cybersecurity professionals and connecting them with solutions with a presence in their region, smaller conferences will grow in their importance. They cost less, which will appeal to the bottom-line professionals, they will connect regional account executives with prospects (ask any account executive who’s had to hand off a prospect at a big trade show to the appropriate regional connection, and you’ll see the frustration), and will enable the 20% of job seekers who attend any conference to focus on the next opportunity in their area.”

The pros and cons of virtual events

While virtual events are – currently and generally – the most effective way of gathering people who are otherwise restricted from traveling, they will not become the only (or even predominant) method of conferencing, Hiskey says.

“Replacing an all-day conference with an hours-long webinar will not meet the needs of conference-goers,” he noted.

“We have found that immersive, live virtual event platforms, offer the opportunity for interacting with exhibitors, solution providers and peer-to-peer networking. Surprisingly, with respect to otherwise introverted attendees, we’ve found they’re more likely to reach out for networking than at a physical event. While the ‘happy hour’ might not be quite the same, virtual event platforms have thought through almost every facet of the physical event experience.”

Twitter discussions on what kind of virtual conferences eager attendees would prefer have brought to light disparate needs, wants and limitations.

Many say that, while working from home, attending a whole-day virtual event is nearly impossible due to more immediate and pressing obligations – both work-related and personal.

And while those who would otherwise be prevented from attending a specific conference – whether due to the lack of a visa, funds, free time, physical mobility or psychological/social capacity – have mostly welcomed the diversity of virtual event offerings, most say that the networking aspect on in-person conferences is difficult to recreate.

For one, it is difficult to replicate the serendipitous aspect of real-life introductions that happen just because someone is sitting/standing physically beside you at an after-conference party or while waiting for a talk to start.

Secondly, even if there is a virtual space (“hallway”) that simulates an informal gathering, chit-chatting and discussing things there – whether over Zoom, Twitch, Slack or chat rooms – is far more tasking than in-person.

All in all, most agree that virtual “conferences” are a good enough option when there is no other option, but that they prefer the offline versions.

As Daniel noted, people attend and participate in events for a lot of reasons, and virtual events satisfy some, but come up short for many things.

“Virtual events will never have the same impact as far as connecting people, whether for community building, or for sales and support. Virtual events also don’t have the social bonds that in-person events have,” he opined.

Things to keep in mind when switching to a virtual venue

While some organizers keep hoping the situation will return to normal soon and they will be able to reboot their events, others have decided to cut their losses here and now.

O’Reilly Media is one of the latter. In late March 2020, after having previously postponed or cancelled some of their Strata conferences, the company announced they would be closing down the live conferences portion of their business.

“Without understanding when this global health emergency may come to an end, we can’t plan for or execute on a business that will be forever changed as a result of this crisis,” Laura Baldwin, President at O’Reilly Media, explained at the time, and said that they will concentrate their efforts on delivering quality on-line events.

“We believe that global tech events are going to be permanently changed because of COVID-19. We were already seeing a trend towards larger user events for specific tools or platforms, instead of conferences that represented the full ecosystem within a technology practice area,” she told Help Net Security.

“At our own events, the fastest-growing, most popular portion of our conferences had been the two training days ahead of the events themselves. Additionally, O’Reilly started delivering on-line training events in 2016, and has worked hard to perfect the delivery and efficacy of our live-trainers. The attendance at these events has proven that this type of focused learning can be delivered online and made even better with easy access to our interactive learning platform. This has been bolstered by the accelerated rate of technology over the past few years, which means attendees find it more difficult to be out the office for a week to attend an event. People who had traditionally attended our in-person events started showing up more at our live trainings and other interactive learning events on our platform.”

Organizers of online events must not make the mistake of switching the “venue” but not the form.

As open source developer and community manager Michael Hall recently explained, there are a number of problems that have to be solved for a newly virtual event to be successful in the long run. His opinions based on experiences while helping Canonical turn the Ubuntu Developer Summit into an online affair should be required reading for organizators looking to make the switch.

Baldwin also agrees that virtual events are going to be different – and that’s ok.

“While networking may be made more difficult, there are so many aspects of in-person events that can be improved upon and we’re already starting to see that,” she noted.

“Within 10 days of cancelling our Strata Data & AI conference, we had recreated it as a two-day virtual event through our learning platform and had 4,600 registered attendees. That in itself is a huge benefit because rather than planning an event a year out to secure venue space and give speakers time to travel, we can produce more nimble, timely and relevant events. The audience can register with little lead time because there’s no need to clear their calendars for a week, organize time away from the office and families, and book travel.”

She also says that they were ultimately impressed with the audience engagement: in just the first hour of the virtual conference, they had more than 160 questions asked of the initial presenter. “There’s no opportunity for that level of engagement during an in-person session,” she added.

Lastly, she says, shorter, more focused online events should also be taken into consideration.

“We’ve been doing live events that we call ‘Meet the Experts’ through our platform long before COVID-19 was ever an issue and had great results. It’s about 15 minutes of presentation and then 45 minutes of Q&A. While not necessarily networking, it does connect technology practitioners with innovators to get a better understanding of timely topics,” she concluded.

US victims lose $13 million from COVID-19-related scams

Successful COVID-19-themed fraud attempts perpetrated in the US, since the beginning of the year resulted in a little over $13 million losses, the Federal Trade Commission has shared.

The real amount must be higher, though, as these losses are just the ones associated with the 17,425 COVID-19 complaints the FTC received in the last three months and a half. There are surely victims out there that didn’t bother to file a complaint.

The FTC’s latest statistics

Despite repeated alerts from a variety of sources – the FBI, the FTC, the FCC – US citizens continue to fall for COVID-19-themed scams.

While the number of complaints is highest in the travel/vacations category, the FTC noted that most of these reports were about cancelations and refunds rather than fraud.

Scams related to online shopping are also numerous, but fraud attempts in which fraudsters impersonate various businesses seem the most lucrative: the total loss from 384 reported cases is $1.2 million, which is roughly $3,125 per case.

covid-19 fraud losses

Scams related to travel/vacations are the most popular form of fraud (though these ), followed by those related to online shopping. Fraudsters are also impersonating various businesses – and this is the most lucrative approach for fraudsters, it seems: the total loss from 384 reported cases is $1.2 million.

The FTC also analyzed the 1,225 COVID-19-themed Do Not Call reports they received in this period:

covid-19 fraud losses

Do Not Call reports are made by people who put themselves on the Do Not Call list, meaning they want marketers not to call them on the phone. Unfortunately, some marketers don’t use the list to avoid calling those individuals, and scammers definitely don’t even think about it.

Finally, the greatest numbers of complaints came from California, Florida, New York and Texas. This is not wholly unexpected, as these are the the four most populous US states.

Scammers don’t target just Americans

In March, Reuters reported that in just one month, victims in the United Kingdom have lost more than 800,000 pounds ($1 million) to COVID-19-linked scams.

Unfortunately, scammers and conmen will always find easy marks. The best we can do is to repeat and link to advice aimed at keeping consumers and businesses safe.

Researchers find shift in monthly web traffic amidst pandemic

There have been shifts in total web traffic broken down by the world’s largest industries as the COVID-19 pandemic has unfolded over the past several weeks, according to Imperva.

web traffic

Based on a weekly average compared to Jan. 19, 2020 traffic, industries that experienced an increase in web traffic from March 1 through March 22, 2020 include:

  • News (+64%)
  • Food and beverages (+34%)
  • Retail (+28%)
  • Gaming (+28%)
  • Law and government (+17%)
  • Education (+17%)

Industries that faced a decrease in web traffic from March 1 through March 22, 2020 include:

  • Sports (-46%)
  • Adult (-42%)
  • Travel (-41%)
  • Automotive (-35%)
  • Financial services (-7%)
  • Gambling (-3%)
  • Healthcare (-3%)

Spikes in attacks on government and law sectors

The report revealed increased spikes in attacks against government and law sectors as the United States launched its Democratic primaries, and early signs of change in industry traffic and attack trends due to COVID-19. Key findings between Feb. 1 and Feb. 29, 2020 include:

  • First sign of shift in web usage as COVID-19 spreads globally. During the month of February, Imperva began monitoring how and if the cross-border spread of COVID-19 started to affect traffic and attack trends across multiple industries and countries. Traffic changes were detected in the News (+10%), Travel (-5%) and Finance (-5%) industries, however there were no major changes in the amount of attacks per industry and country.
  • The United States and New Zealand both experienced spikes in attacks on government and law sectors. Within the United States, there was a 10% increase in the average number of attacks per site in these sectors, as Democratic primary election picked up. The top three countries of origin outside of the United States were Russia (22%), Ukraine (12%) and China (9%), and 99% of attacks overall were carried out by bots. Additionally, New Zealand experienced an 800% spike in attacks on Feb. 17 and 18.
  • Web attacks originating from cloud platforms saw a 27% decline for the second month in a row. While attackers are still using cloud platforms to disseminate attacks, there was a 20% increase in attacks originating from web hosting services.
  • India is the country with the highest number of spam attacks. Comment spam attacks in India are twice as popular than those in other frequently spammed countries, including Canada, Spain, the United Kingdom and the United States.

“This new research from the Cyber Threat Index is a testament to the rapidly changing security landscape, and we can expect to see some of these threats—particularly attacks on government and law sectors—continue to proliferate as we inch closer to the 2020 U.S. presidential election,” Nadav Avital, head of security research at Imperva.

“Government websites will only become an even bigger target to malicious actors, so organizations must prepare now before it’s too late. We’ll continue to monitor how this space evolves and provide recommendations for the right course of action.”

The February 2020 Index score of 782—on a scale of zero to 1000—is the highest to date, rising from 776 in January 2020.

How finance leaders plan to react to COVID-19

The potential for COVID-19 to lead to a global economic downturn is the top concern for finance leaders in the US and Mexico, according to PwC. However, 90% of finance leaders say their business would return to normal in less than 3 months if COVID-19 were to end immediately.

finance COVID-19

Key findings

  • All finance leaders say their business is experiencing some impact as a result of coronavirus.
  • 54% of respondents say the outbreak has the potential for “significant” impact to business operations.
  • 58% expect a decrease in their company’s revenue and/or profits this year.
  • 34% say impact has been limited to specific regions, but that they are monitoring developments closely.
  • Just 14% of finance leaders reported that their company is not considering any financial actions as a result of COVID-19.
  • Only 30% are considering supply chain changes.
  • 80% indicated that a potential global recession rated among their top-three concerns with respect to COVID-19.
  • 48% of finance leaders expect to change disclosures.

“Uncertainty, especially regarding both the length and severity of the COVID-19 pandemic, is a predominant concern for chief financial officers,” said Tim Ryan, PwC US Chair and Senior Partner.

“However, with 90% of CFOs and finance leaders optimistic that they can return to normal business operations fairly quickly if the pandemic stops soon, this should signal a strong sense of urgency for business leaders to work closely with government and public health officials to help address the crisis.”

finance COVID-19

Most finance leaders optimistic

“Most finance leaders surveyed seem to be optimistic about a resolution to the spread of the coronavirus and as a result are focused on near-term versus long-term solutions to managing costs,” said Amity Millhiser, PwC US Vice Chair and Chief Clients Officer.

“However, if conditions continue to deteriorate we would expect to see a pullback in long-term investment spending as companies move to longer-term cost containment strategies.”

Of the 50 finance leaders surveyed, 80% are from Fortune 1000 companies, with others in healthcare non-profit associations or in privately held companies, and 44 respondents are from the US whereas 6 are from Mexico.