Belgium Introduces National Legal Vulnerability Disclosure Framework & Policies

Posted in Commentary with tags , on February 17, 2023 by itnerd

The Centre for Cyber Security Belgium has just enacted nation-wide vulnerability disclosure policies and a reporting framework, including several obligations for security researchers such as:

a) You must limit yourself strictly to the facts necessary to report a vulnerability – you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability

b) You must act without fraudulent intent or design to harm

c) As soon as possible after the discovery of the potential vulnerability, you must inform the organization responsible for the system, process or control of the vulnerability

You can read the announcement here, and the policy here.

Chloe Messdaghi, Managing Director at Impactive Partners had this comment:

   “Belgium is offering a good example of where every country needs to be with their vulnerability disclosure policies. Unfortunately, the US is still piecing together our VDP legal framework, although in 2022, the DOJ revised its policies under the Computer Fraud and Abuse Act (CFAA) to help protect “good-faith” security research from being prosecuted, and the US Army actively encourages researchers to participate in its VDP.

   “With cyber threats growing exponentially over the last several years, it’s past time to actually require that certain types and sizes of organizations across the US – and especially including all Federal agencies and NGOs – have robust protective, active vulnerability disclosure policies.  VDPs have been viewed by security-aware organizations as must-have for many years. The thing to remember is that EVERYONE in both the public and private sector is now a target, and virtually everyone has exploitable, exposed assets they need to find and fix before a threat actor finds them – this is why we need VDPs. 

   “Remember back in 2021 when the UN disclosed a data breach exposing over 100K UNEP records? We applauded Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted. This was a great example of how vulnerability disclosure policies work, and underscored the value of working closely with independent researchers, i.e., hackers.”

Christopher Vaughan, VP, Technical Account Management at Tanium follows up with this comment:  

“This is a welcomed development and having such laws in place will make Belgium a more secure country as a whole.  Further, it will help position Belgium as go-to destination for security research with a corresponding benefit of cultivating a greater number of homegrown talent.   

“We can also expect to see some ambiguity around what’s considered legal and not.  There isn’t a huge sample size of where policies such as this have been enacted on a national level, so it will be interesting to see a program of this scale in action. 

I really like the fact that Belgium is doing this and I hope that other countries will do something similar as actions like this will make us all safer.

Leave a comment »

Targus Releases New Global Study To Find Out How People can Empower Their Lives Inside And Outside Of Work

Posted in Commentary with tags on February 16, 2023 by itnerd

Targus has released the results of its annual 2023 Global Workplace Study, which examines the key factors, tools, and trends that are important for improving employee wellbeing, engagement, and productivity.  

According to the survey among 1,000 senior business decision makers and 6,000 workers across North America and Europe, the top three wellbeing priorities are: flexible working (47 percent), rewards and recognition (43 percent), and cost of living support (40 percent). In fact, 88 percent of business decision makers globally agree that flexible working positively impacts their staff retention and recruitment, an 11-point increase from 2021.  

Here are some of the study’s key findings:

  • Flexible and hybrid working remains the norm, with 58 percent of respondents in the U.S. stating that they do not work from an office full time and 51 percent stating that they only work in an office between two and four days per week.
  • Having the right tools to work from anywhere is extremely important. Specifically, 80 percent of U.S. workers and 82 percent globally believe their job satisfaction and productivity would be negatively impacted without the right tech accessories to do their work. However, many businesses supporting flexible working conditions do not supply their employees with the tech accessories they need to work well remotely, such as a keyboard, mouse, headphones, additional monitor(s), and hub. An annual budget to purchase accessories ranked in the top five ways to enhance wellbeing at work.
  • Businesses and consumers increasingly prioritize sustainability, with more than 53 percent of global respondents stating that sustainable attributes influence their purchasing considerations for tech accessories. In the U.S., alone, 62 percent of people say they are happy to pay more for sustainable products that last longer, and 72 percent say they buy less fast fashion products and invest in long-lasting products.

Read the complete 2023 Global Workplace Study for more valuable insights on the state of the workplace.

Leave a comment »

Emsisoft Says Hackers Are Spoofing Its Certificates

Posted in Commentary with tags on February 16, 2023 by itnerd

Hackers are using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses:

We recently observed an incident in which a fake code-signing certificate supposedly belonging to Emsisoft was used in an attempt to obfuscate a targeted attack against one of our customers. The organization in question used our products and the attacker’s aim was to get that organization to allow an application the threat actor installed and intended to use by making its detection appear to be a false-positive.

The attack failed – our product detected and blocked it – but we are issuing this alert so that both our customers and users of other company’s products are aware of the tactics that were used in this case. 

Kevin Bocek, VP Ecosystem and Community at Venafi had this to say:

“Spoofing has been an issue for companies for a long time, but more commonly associated with website spoofing linked to phishing – so it’s interesting that the same ‘change one letter’ approach is being applied to code signing machine identities. The fact that we’re seeing threat actors impersonating companies with fake code-signing certificates is a sign of the times, as we are increasingly seeing threat actors targeting machine identities, due to the level of trust they have within the network. Threat actors understand that being granted trusted access to a company’s system via fake machine identities is akin to being ushered through the digital front door. In this instance the spoofed identity was detected and flagged, but it could easily have been overlooked.

“The continued adoption of cloud native technologies is creating huge levels of complexity around machine identity management, it’s harder than ever for teams to make decisions on what can and can’t be trusted to run – especially given the speed of development environments. With the number of machine identities across an organization growing exponentially, organizations need a control plane to automate the management of machine identities. This provides teams with the observability, consistency and reliability needed to effectively manage their machine identities and spot any bad actors from trying to spoof their way in.”

This is yet another thing for you to keep your eyes out for as the attack surface that threat actors use is clearly evolving.

1 Comment »

Hackers Using Havoc Post-Exploitation Framework In Attacks

Posted in Commentary with tags on February 16, 2023 by itnerd

Security researchers at Zscaler ThreatLabz observed threat actors using the open-source C2 framework known as Havoc in attack campaigns targeting government organizations.

The Havoc framework is an advanced post-exploitation command and control framework is an alternative to paid options such as Cobalt Strike and Brute Ratel and is capable of bypassing the most current and updated version of Windows 11 Defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation.

Matt Mullins, Senior Security Researcher at Cybrary had this to say:

   “Command and Control (or C2) frameworks are nothing new to the threat actor community. For a long time, the FOSS (Free and Open-Source Software) community had a harder time keeping up with the features and functionality associated with premium paid tools like Cobalt Strike. This left learners, lower budget teams, and criminal groups with limited options around older frameworks like Empire, Metasploit, and some very basic custom tooling.

   “This all changed around 2018, when it seems that C2 frameworks simply exploded in options. There were a number of very sophisticated tools that reached a fair degree of maturity (such as Sliver, Mythic, etc.) while older frameworks were forked and revisited (such as BC-Security’s Empire fork) that gave a wonderful buffet of options to the aforementioned groups.

   “As with most things in the industry, as these options became available, so did the options being implemented in threat actor TTPs. Outside of these robust options being made available, paid tooling was beginning to be leaked. Cobalt Strike has had its source code leaked a number of times now, along with other paid tools being shared and cracked. Cracked software is nothing new but what is interesting is the specific shift of criminal groups to target cracking of red team software, as well as red teams for licenses.

   “With such a cornucopia of options available to criminals, the detections and patterns used to previously sink paid tools aren’t nearly as effective. Take for consideration Cobalt Strike, it was already a big waste of money even back in 2018 because nearly every IR team, EDR tool, or any other defensive capability under the sun, has detection ruling built for a majority of its offerings. This means that it was only useful to advanced red teamers, or criminals, because of the amount of customization needed to get it to work. This brings me back to the original point, why would anybody waste their money or time on Cobalt Strike when they can just download Havoc and it “works” off of the shelf and bypasses detections? Criminals now no longer need to hunt for licenses or crack software, while red teams don’t need to pay absurd prices for tools that they have to know how to use and customize.

   “The cat-and-mouse game of detection and innovation is about to accelerate in favor of the offensive side because of this blooming of C2s. Reflecting on the implementation of new tools like ChatGPT, along with other AI tools, and you now have more rapid generation of payloads, phishing emails, and other attacker-beneficial aspects. I can only surmise that we will see more breaches (and thus more potential undetected breaches) as a result of this increase in options and sophistication.”

The best thing about this for threat actors is thatit’s free! Which is bad for you and I.

Leave a comment »

BenQ Says Our Average Screen Time Per Day Is Up, And Digital Screens Are The New Faux Pas! 

Posted in Commentary with tags on February 16, 2023 by itnerd

Digital screens in today’s day and age are the new faux pas. Screen-time has gone up significantly over the last decade, and many of us don’t really realize how much we rack up over the course of a day, a week, a month and year!  

On average, a Canadian adult spends 13.1 hours per day on screen-time, exceeding the recommended limit. In only eight hours, we are exposed to 5.8 million flickers from our screens. While making efforts to reduce screen time is important, it’s just as vital to determine whether our devices are affecting us physically. BenQ, one of North America’s leading monitor brands, understands that professional individuals, and gamers often have limitations when it comes to how much screen time they rack up, which is why they’ve implemented eye-care technology into their high-performance monitors.   

Developed to protect your eyes,BenQ’s Eye-CareU, ensures that that eyestrain, eye-pain, and headaches are reduced.  Being the first monitor manufacturer to prioritize eye health, BenQ has fitted their monitors with innovative functions such as:   

  • Brightness Intelligence+, a feature that detects screen content and environmental lighting, adjusting display brightness and colour temperature 
  • Brightness Intelligence, a sensor that detects ambient light as well as the brightness and contrast of screen content. It adapts brightness and enhances dark areas on the display without overexposing in bright regions   
  • Flicker-free, a technology certified by international TÜV Rheinland, which eliminates flicker  
  • Low Blue Light, a technology that filters harmful blue light.  
  • Low Blue Light+, a technology that filters out the shorter, higher energy blue-violet radiation.  

Here’s a round-up of some of BenQ’s high performance monitors that include the Eye-Care Solution:

EX240N – MOBIUZ 1ms 23.8″ 165Hz Gaming Monitor 

  • Adjusts display brightness and color temperature for a more comfortable viewing experience 
  • Colour Weakness Mode – Red and green filters help individuals with the common types of color vision deficiency distinguish colors more easily 

GW2785TC 27″ 1080p Eye-Care Monitor 

  • Reading Mode – Designed to filter out harmful blue light 
  • Coding Mode – Devised to make every color pop out for easy readability and coding efficiency 
  • Care Mode – Specially-tuned to lowered brightness and color saturation to protect sensitive eyes 

Leave a comment »

TELUS becomes official premier partner of Vancouver Whitecaps FC

Posted in Commentary with tags on February 16, 2023 by itnerd

The Vancouver Whitecaps FC announced TELUS as the club’s premier partner through 2027. The multi-year partnership brings together two longstanding Vancouver-based organizations with a proven and shared commitment to drive meaningful change in their local communities. 

To kick off the new partnership and 2023 season, Vancouver Whitecaps FC also unveiled its new 2023 jersey today, featuring the iconic TELUS brand. The new ‘Bloodlines’ Jersey shines a light on the pressing need for donors to support Canadian Blood Services, encouraging all Canadians from coast to coast to coast to download the Canadian Blood Services app and learn how they can help save lives.

The new jersey prominently featuring TELUS, will hit the field for the first time at the Whitecaps FC home opener on Saturday, February 25. To celebrate the new partnership, TELUS team members will be giving away co-branded Whitecaps scarves to every fan attending the match.

From February 16 to March 31, fans will be able to register for an account on the Canadian Blood Services app GiveBlood (myaccount.blood.ca) and show it at the Whitecaps FC Official Store or at a home match at BC Place to receive free personalized cresting (name and number) on a 2023 Bloodlines jersey. For more information on how to help support the Canadian Blood Services, visit blood.ca

Leave a comment »

Critical Insight Finds Healthcare Data Breach in 2H 2022 Higher than Pre-Pandemic Levels Affecting More Individuals

Posted in Commentary with tags on February 16, 2023 by itnerd

Critical Insight, the Cybersecurity-as-a-Service provider specializing in helping critical organizations Prepare, Detect, and Respond in today’s threat environment, announced today the release of the firm’s H2 2022 Healthcare Data Breach Report, which analyzes ​​breach data reported to the U.S. Department of Health and Human Services by healthcare organizations. The number of data breaches affecting healthcare providers declined in the second half of 2022, consistent with a downward trend over the past two years, but a deeper dive into the data reveals that current breach totals are still higher than pre-pandemic levels; breaches are affecting more individuals; and hackers are shifting tactics to attack weak links in the healthcare system supply chain, most notably attacking EHR systems. 

The report shows that while the number of data breaches affecting healthcare providers declined in the second half of 2022, the number of individual records exposed by these breaches increased by 35%. The report also highlights the evolving tactics of hackers and the need for healthcare organizations to prioritize preparation, detection, and incident response. Key Findings: Breach numbers are down: Total breaches dropped 9% between the first six months of 2022 and the year’s second half, declining since a high-water mark at the height of the pandemic from 393 breaches in the second half of 2020 to 313 in the latest reporting period. Records affected are up: The number of individual records exposed by breaches skyrocketed by 35% in the second half of 2022 to hit 28 million. 

In other words, fewer but more significant breaches reflect consolidation within the industry and the evolving tactics of attackers. Hacking remains high: Most data breaches are due to hacking. Healthcare organizations have done an excellent job of shoring up their policies around handling and storing medical records. Hacking accounted for 79% of all incidents and 84% of individual records exposed in 2022. Most common breach causes: Unauthorized access/disclosure now affects more records per breach than any other breach type. On average, the number of individuals affected per unauthorized access/disclosure breach spiked from 5,700 in the first half of 2022 to over 143,000 in the second half. By comparison, the average number of individuals affected per hacking breach grew from 73,900 to 87,000 in 2022. 

Who’s getting breached?: Attackers continue to attack hospitals but have found increasing success targeting business associates and third-party vendors such as electronic medical record providers, lawyers, accountants, billing companies, and medical device manufacturers. In the second half of 2022, more records were exposed due to breaches at business associates (48%) than actual healthcare providers (47%). 

What they’re watching: Attacks against EMR systems which were non-existent in past years, spiked to 7% in the first half of 2022 and 4% in the second half of 2022. For the full year 2022, EMR-related breaches accounted for 6 million individual records exposed.

This report provides valuable insights into the current state of healthcare breaches and the need for organizations to implement a comprehensive security strategy, including risk assessments, third-party risk management, and incident response planning.

To download the report, please visit https://cybersecurity.criticalinsight.com/healthcare-breach-report-h2-2022.

Leave a comment »

LinkedIn’s Publishes Their 2023 Most In-Demand Skills List

Posted in Commentary with tags on February 16, 2023 by itnerd

As the 2023 workforce rapidly evolves, conversations around ‘recession’ are up nearly 900% since last year and topics like layoffs are trending on LinkedIn. However, today’s professionals are finding confidence in their skills, allowing them to bounce back and move forward when facing job change – planned or not.

A complement to this year’s Jobs on the Rise list, which identified the 25 jobs which have grown most over the past five years, the Most In-Demand Skillslist offers an insider look at the skills companies need most right now and free LinkedIn Learning courses to learn these skills.

The 2023 top 10 most in-demand skills in Canada include:

  1. Management – Be The Manager People Won’t Leave
  2. Communication – Communication Foundations
  3. Customer Service – Customer Service Foundations
  4. Leadership – Human Leadership
  5. Microsoft Office – Excel Essential Training (Office 365)
  6. Sales – Sales Foundations
  7. Project Management – Project Management Foundations
  8. Teamwork – Being an Effective Team Member
  9. Research – Market Research Foundations
  10. Analytical Skills – Critical Thinking and Problem Solving

For the full list of the Most In-Demand Skills, and their corresponding LinkedIn Learning courses, visit here.

Leave a comment »

New Variation Of The PayPal Phishing Attack Sends Malicious Invoices Victims to Steal Personal Credentials

Posted in Commentary with tags on February 16, 2023 by itnerd

In July 2022, researchers at Avanan, a Check Point Software Company, wrote about a new campaign where hackers are sending phishing emails and malicious invoices directly from PayPal. Avanan has released its latest blog discussing how threat actors are continuing to take advantage of PayPal in a variety of ways to send malicious invoices directly to users. 

In this attack, victims are presented with emails, coming directly from PayPal, regarding fraudulent charges or renewal notifications. These notifications encourage users to take action by calling the provided number to reverse the charges. They are then prompted to provide personal information in which hackers save and use for future attacks. 

You can read the blog here.

Leave a comment »

Multilingual BEC Groups Use Auto Translate Tools for Payment Fraud, Payroll Diversion, And Executive Impersonation

Posted in Commentary with tags on February 16, 2023 by itnerd

Abnormal Security has identified two groups using executive impersonation to execute BEC attacks on companies worldwide. In a new report, the company provides details on Midnight Hedgehog, a group engaging in payment fraud, and Mandarin Capybara, a group performing payroll diversion attacks. This new report provides insight into the impact of multilingual BEC attacks, in-depth analysis of the tactics and techniques used by these groups, and offers actionable advice to organizations to defend against multilingual email-based attacks.

These groups use executive impersonation to deceive recipients into making payments for bogus services or changing payroll account details, often posing as a company’s CEO. The report highlights that by leveraging commercial online services and widely available marketing technology, BEC actors can rapidly scale their efforts, maximizing their reach and wreaking havoc across the globe.

You can read the report here.

Leave a comment »

« Older Entries
Newer Entries »